Freeradius failed to start with dhcp port 67

I'm trying to use freeradius with dhcp on debian 12. I'm relaying DHCP packets from the router.

1. FR setup with DHCP listen port 67 : freeradius -X works just fine, as expected. But systemd cannot start the service. And unfortunately I cannot find any related log to look into. only I can see there:

root@rpi:~# journalctl -xeu freeradius.service
Jul 26 13:09:41 rpi freeradius[544893]: rlm_sql (sql): Adding client ubiqap (UbiQ_AP) to global clients list
Jul 26 13:09:41 rpi freeradius[544893]: rlm_sql (192.168.220.55): Client "UbiQ_AP" (sql) added
Jul 26 13:09:41 rpi freeradius[544893]: rlm_sql (sql): Released connection (0)
Jul 26 13:09:41 rpi freeradius[544893]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
Jul 26 13:09:41 rpi freeradius[544893]: rlm_mschap (mschap): using internal authentication
Jul 26 13:09:41 rpi freeradius[544893]: tls: Using cached TLS configuration from previous invocation
Jul 26 13:09:41 rpi freeradius[544893]: tls: Using cached TLS configuration from previous invocation
Jul 26 13:09:41 rpi freeradius[544893]: Compiling dhcp DHCP-Discover for attr DHCP-Message-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling dhcp DHCP-Request for attr DHCP-Message-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling dhcp DHCP-Decline for attr DHCP-Message-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling dhcp DHCP-Inform for attr DHCP-Message-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling dhcp DHCP-Release for attr DHCP-Message-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling dhcp DHCP-Lease-Query for attr DHCP-Message-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling Auth-Type PAP for attr Auth-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling Auth-Type CHAP for attr Auth-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling Auth-Type MS-CHAP for attr Auth-Type
Jul 26 13:09:41 rpi freeradius[544893]: Ignoring "ldap" (see raddb/mods-available/README.rst)
Jul 26 13:09:41 rpi freeradius[544893]: Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling Auth-Type PAP for attr Auth-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling Auth-Type CHAP for attr Auth-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling Auth-Type MS-CHAP for attr Auth-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling Autz-Type New-TLS-Connection for attr Autz-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Jul 26 13:09:41 rpi freeradius[544893]: Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
Jul 26 13:09:41 rpi freeradius[544893]: radiusd: #### Skipping IP addresses and Ports ####
Jul 26 13:09:41 rpi freeradius[544893]: Configuration appears to be OK
Jul 26 13:09:42 rpi systemd[1]: freeradius.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ An ExecStart= process belonging to unit freeradius.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jul 26 13:09:42 rpi systemd[1]: freeradius.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit freeradius.service has entered the 'failed' state with result 'exit-code'.
Jul 26 13:09:42 rpi systemd[1]: Failed to start freeradius.service - FreeRADIUS multi-protocol policy server.
░░ Subject: A start job for unit freeradius.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit freeradius.service has finished with a failure.
░░
░░ The job identifier is 4265304 and the job result is failed.

2. I setup DHCP listen port as non-standard 6700, systemctl can start FR with no problem.

Hopefully its some user-permission issue but cannot find the right path to proceed. I tried with root@rpi:~# setcap cap_net_admin=ei /usr/sbin/freeradius but that didn't make any difference.

Well, after few hours of digging, found it is capability issue. Did # setcap "CAP_NET_BIND_SERVICE=ep" /usr/sbin/freeradius and AmbientCapabilities=CAP_NET_RAW set in /usr/lib/systemd/system/freeradius.service. This makes everything working as expected.