*Sun Feb 23 17:24:53 2025 : ERROR: (33) mschap: ERROR: Program returned code (1) and output ''* *Sun Feb 23 17:24:53 2025 : Auth: (33) Login incorrect (mschap: Program returned code (1) and output ''): [username/<via Auth-Type = eap>] (from client AP_name port 0 via TLS tunnel)* *Sun Feb 23 17:24:53 2025 : Auth: (34) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [username/<via Auth-Type = eap>] (from client AP_name port 1 cli 80-86-D9-4B-F8-16)* (username and AP_name are vars for the obfuscated original values) When I stop freeradius (via systemd) and start it manually by freeradius -f, everything works like a charm and all my clients are authenticated. Seems to be a systemd issue. Workaround: systemctl edit freeradius ### Anything between here and the comment below will become the new contents of the file" [Service] AmbientCapabilities=CAP_DAC_OVERRIDE Needs to be set, to solve the issue. radtest is always working.
Another customer affected 2025042821000113 Another end customer who ran into this error after upgrading to UCS 5.2-x. Due to this error, it is no longer possible to log on to the Radius server, all clients are therefore unusable and this increases the criticality of this bug. Article for the workaround. https://help.univention.com/t/problem-radius-since-upgrading-to-5-2-x-login-to-radius-fails-mschap-program-returned-code-1/24133
Another customer affected 2025051921000245
The problem is now reproducible. The logroate UCR variable "logrotate/radius_ntlm_auth/create" is set to "644 root freerad" as of UCS 5.2-0 but the freeradius service is no longer running as "root" but as user "freerad". After the installation (and maybe even also after updating), the permissions of /var/log/univention/radius_ntlm_auth.log were correct but when logrotate did its work, the helper univention-radius-ntlm-auth started to fail. The fix is # ucr set logrotate/radius_ntlm_auth/create="644 freerad freerad" # chown freerad:freerad /var/log/univention/radius_ntlm_auth.log # chmod 644 /var/log/univention/radius_ntlm_auth.log So this is a regression in 5.2-0. In https://help.univention.com/t/problems-with-freeradius-auth-after-upgrading-to-5-2-0/23926/19 customers have verified, that the proposed fix is working. https://help.univention.com/t/problem-radius-since-upgrading-to-5-2-x-login-to-radius-fails-mschap-program-returned-code-1/24133 has been updated accordingly. Merged id 174413 into scope 719 of release 5.2-0-0 No Source Revision has been replaced New Source Revision: 174413 Package: univention-radius Version: 9.2.1 Branch: ucs_5.2-0-errata5.2-2 Scope: errata5.2-2
fix: restrict permissions of /var/log/univention/radius_ntlm_auth.log to 0660 Merged id 174431 into scope 719 of release 5.2-0-0 Old Source Revision has been replaced: 174413 New Source Revision: 174431 Package: univention-radius Version: 9.2.2 Branch: ucs_5.2-0-errata5.2-2 Scope: errata5.2-2
<https://errata.software-univention.de/#/?erratum=5.2x127>