I changed some virtual server side config and tried to logon with testuser1/testpass123, the error from tacacs is an encoding error. the config change for virtual server: # # Does nothing other than send packets. It doesn't listen to any input sockets. # server default { namespace = radius listen { type = Access-Request type = Status-Server transport = udp udp { ipaddr = 169.254.195.0 port = 1812 } } recv Access-Request { tacacs } } # /opt/LU3P/sbin/radiusd -X -d /etc/opt/LU3Pfreeradius-server Info : Copyright 1999-2024 The FreeRADIUS server project and contributors Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Info : PARTICULAR PURPOSE Info : You may redistribute copies of FreeRADIUS under the terms of the Info : GNU General Public License Info : For more information about these matters, see the file named COPYRIGHT Info : Starting - reading configuration files ... including configuration file /etc/opt/LU3Pfreeradius-server/radiusd.conf including configuration file /etc/opt/LU3Pfreeradius-server/clients.conf Including files in directory "/etc/opt/LU3Pfreeradius-server/modules/" including configuration file /etc/opt/LU3Pfreeradius-server/modules/tacacs including configuration file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config Loaded module process_radius Parsing initial logging configuration. main { prefix = /opt/LU3P log { destination = files syslog_facility = daemon local_state_dir = "/opt/LU3P/var" logdir = "/opt/LU3P/var/log" file = /var/opt/log/freeradius-server/radius.log suppress_secrets = no } } Parsing security rules to bootstrap UID / GID / chroot / etc. main { log { } security { allow_core_dumps = no allow_vulnerable_openssl = "no" } name = radiusd local_state_dir = "/opt/LU3P/var" run_dir = /var/opt/run } Parsing main configuration main { server default { namespace = radius radius { Access-Request { session { timeout = 15 max = 4096 } } } Loaded module proto_radius listen { type = Access-Request type = Status-Server transport = udp Loaded module proto_radius_udp udp { ipaddr = 169.254.195.0 port = 1812 networks { } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 5.0 idle_timeout = 30.0 nak_lifetime = 30.0 max_connections = 1024 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } log { ignored_clients = yes } require_message_authenticator = no limit_proxy_state = auto } } log { } security { } sbin_dir = "/opt/LU3P/sbin" logdir = /var/opt/log/freeradius-server radacctdir = /var/opt/log/freeradius-server/radacct reverse_lookups = no hostname_lookups = no max_request_time = 30 pidfile = /var/opt/run/radiusd.pid debug_level = 0 max_requests = 1024 resources { } thread pool { num_networks = 1 Dynamically determined thread.workers = 2 num_workers = 2 } migrate { } } Info : Switching to configured log settings Debug : radiusd: #### Loading Clients #### Debug : client 127.0.0.1 { Debug : ipaddr = 127.0.0.1 Debug : secret = <<< secret >>> Debug : shortname = sig03-oam-b Debug : require_message_authenticator = no Debug : limit_proxy_state = auto Debug : limit { Debug : max_connections = 16 Debug : lifetime = 0 Debug : idle_timeout = 30s Debug : } Debug : } Debug : client 169.254.64.0/20 { Debug : ipaddr = 169.254.64.0/20 Debug : secret = <<< secret >>> Debug : shortname = sig03-oam-b Debug : require_message_authenticator = no Debug : limit_proxy_state = auto Debug : limit { Debug : max_connections = 16 Debug : lifetime = 0 Debug : idle_timeout = 30s Debug : } Debug : } Debug : client 169.254.128.0/17 { Debug : ipaddr = 169.254.128.0/17 Debug : secret = <<< secret >>> Debug : shortname = sig03-oam-b Debug : require_message_authenticator = no Debug : limit_proxy_state = auto Debug : limit { Debug : max_connections = 16 Debug : lifetime = 0 Debug : idle_timeout = 30s Debug : } Debug : } Info : Debugger not attached Info : Configuration version: 2B68C42F-4537-400E-A66C-0DB8A9263333 Info : systemd watchdog is disabled Info : pre-suid-down capabilities: =ep Warn : trigger { ... } subsection not found, triggers will be disabled Debug : #### Instantiating libraries #### Debug : #### Bootstrapping process modules #### Debug : Bootstrapping process_radius "default" Debug : #### Bootstrapping protocol modules #### Debug : #### Instantiating libraries #### Debug : #### Bootstrapping static modules #### Debug : modules { Debug : static { Debug : Loaded module rlm_tacacs Debug : tacacs { Debug : transport = tcp Debug : Loaded module rlm_tacacs_tcp Debug : tcp { Debug : ipaddr = 10.76.89.50 Debug : port = 49 Debug : secret = testkey123 Debug : max_packet_size = 4096 Debug : max_send_coalesce = 1024 Debug : } Debug : type = Authentication-Start Debug : type = Authentication-Continue Debug : type = Authorization-Request Debug : type = Accounting-Request Debug : max_attributes = 255 Debug : response_window = 20 Debug : zombie_period = 40 Debug : pool { Debug : start = 1 Debug : min = 1 Debug : max = 1 Debug : connecting = 2 Debug : uses = 0 Debug : lifetime = 0 Debug : idle_timeout = 0 Debug : open_delay = 0.2 Debug : close_delay = 10.0 Debug : manage_interval = 0.2 Debug : max_backlog = 1000 Debug : connection { Debug : connect_timeout = 3.0 Debug : reconnect_delay = 1 Debug : } Debug : request { Debug : per_connection_max = 2000 Debug : per_connection_target = 1000 Debug : free_delay = 10.0 Debug : } Debug : } Debug : retry { Debug : initial_rtx_time = 2 Debug : max_rtx_time = 16 Debug : max_rtx_count = 5 Debug : max_rtx_duration = 30 Debug : } Debug : } Debug : } # static Debug : #### Bootstrapping rlm modules #### Debug : Including dictionary file "/etc/opt/LU3Pfreeradius-server/dictionary" Debug : #### Instantiating listeners #### Debug : Compiling policies in server default { ... } Debug : Compiling policies in - recv Access-Request {...} Warn : radius { ... } section is unused Debug : #### Instantiating process modules #### Debug : Instantiating process_radius "default" Debug : #### Instantiating protocol modules #### Debug : Instantiating proto_radius "default.radius.udp" Debug : Instantiating proto_radius_udp "default.radius.udp.udp" Debug : #### Instantiating rlm modules #### Debug : Instantiating rlm_tacacs "tacacs" Warn : Ignoring "trunk.per_connection_max = 2000", forcing to "trunk.per_connection_max = 255" Warn : Ignoring "trunk.per_connection_target = 1000", forcing to "trunk.per_connection_target = 127" Warn : Ignoring "revive_interval = 0", forcing to "revive_interval = 10" Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" Debug : tacacs - [0] Starting initial connection Debug : tacacs - [1] - Signalled to start from HALTED state Debug : tacacs - [1] - Connection changed state HALTED -> INIT Debug : tacacs - [1] Trunk connection changed state HALTED -> INIT Debug : tacacs - [1] - Connection changed state INIT -> CONNECTING Info : tacacs - [1] Trunk connection changed state INIT -> CONNECTING Debug : Scheduler created in single-threaded mode Debug : #### Opening listener interfaces #### Debug : Listening on radius_udp server 169.254.195.0 port 1812 bound to virtual server default Info : post-suid-down capabilities: =ep Info : Ready to process requests Debug : tacacs - [1] - Connection changed state CONNECTING -> CONNECTED Debug : tacacs - [1] - Connection established Debug : tacacs - [1] Trunk connection changed state CONNECTING -> ACTIVE Debug : proto_radius_udp - Received Access-Request ID 71 length 98 radius_udp server 169.254.195.0 port 1812 ERROR : (0) ERROR: Packet from 169.254.128.0/17 (sig03-oam-b) did not contain Message-Authenticator: ERROR : (0) ERROR: - Upgrade the client, as your network is vulnerable to the BlastRADIUS attack. ERROR : (0) ERROR: - Then set 'require_message_authenticator = yes' in the client definition Info : (0) First packet from 169.254.128.0/17 (sig03-oam-b) did not contain Proxy-State. Setting "limit_proxy_state = yes" Debug : Worker - Resetting cleanup timer to +30 Debug : (0) default { Debug : (0) Received Access-Request ID 71 from 169.254.131.1:40407 to 169.254.195.0:1812 via int0 Debug : (0) Module-Failure-Message = "- Then set 'require_message_authenticator = yes' in the client definition" Debug : (0) Module-Failure-Message = "- Upgrade the client, as your network is vulnerable to the BlastRADIUS attack." Debug : (0) Module-Failure-Message = "Packet from 169.254.128.0/17 (sig03-oam-b) did not contain Message-Authenticator:" Debug : (0) * User-Name = "testuser1"* Debug : (0) NAS-Identifier = "LCP_CLI" Debug : (0) Service-Type = Authenticate-Only Debug : (0) Calling-Station-Id = "10.242.131.105" Debug : (0) NAS-IP-Address = 169.254.65.1 Debug : (0) NAS-Port = 1345666 Debug : (0) NAS-Port-Type = Virtual Debug : (0) User-Password =* "testpass123"* Debug : (0) Net { Debug : (0) Src { Debug : (0) IP = 169.254.131.1 Debug : (0) Port = 40407 Debug : (0) } Debug : (0) Dst { Debug : (0) IP = 169.254.195.0 Debug : (0) Port = 1812 Debug : (0) } Debug : (0) Timestamp = "2025-04-24T09:08:10Z" Debug : (0) } Debug : (0) Packet-Type = Access-Request Debug : (0) Running 'recv Access-Request' from file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config Debug : (0) recv Access-Request { Debug : (0) tacacs - tacacs - [1] Trunk connection assigned request 1 Debug : (0) tacacs - Sending Authentication-Start ID 1 length 0 over connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 ERROR : (0) tacacs - ERROR: Failed encoding packet: fr_tacacs_encode*: Failed encoding Packet using fr_struct_to_network()* Debug : (0) tacacs - tacacs - Resuming execution Debug : (0) tacacs (fail) Debug : (0) } # recv Access-Request (fail) Debug : (0) The 'recv Access-Request' section returned fail - rejecting the request Debug : (0) default (ok) Debug : (0) } # default (ok) Debug : (0) Done request Debug : (0) Sending Access-Reject ID 71 from 0.0.0.0/0:1812 to 169.254.131.1:40407 length 38 via socket radius_udp server 169.254.195.0 port 1812 Debug : (0) Packet-Type = Access-Reject Debug : (0) Finished request Debug : proto_radius_udp - cleaning up request in 5.000000s Debug : TIMER - proto_radius_udp - cleanup delay On Thu, Apr 24, 2025 at 2:34 PM bryan xiang <bryanxiang82@gmail.com> wrote:
I just see your patch fix, I use your patch load and rebuild again This time no crash, and I can see log like: Debug : Instantiating rlm_tacacs "tacacs" Warn : Ignoring "trunk.per_connection_max = 2000", forcing to "trunk.per_connection_max = 255" Warn : Ignoring "trunk.per_connection_target = 1000", forcing to "trunk.per_connection_target = 127" Warn : Ignoring "revive_interval = 0", forcing to "revive_interval = 10" Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" Debug : tacacs - [0] Starting initial connection Debug : tacacs - [1] - Signalled to start from HALTED state Debug : tacacs - [1] - Connection changed state HALTED -> INIT Debug : tacacs - [1] Trunk connection changed state HALTED -> INIT Debug : tacacs - [1] - Connection changed state INIT -> CONNECTING Info : tacacs - [1] Trunk connection changed state INIT -> CONNECTING Debug : Scheduler created in single-threaded mode Debug : #### Opening listener interfaces #### Info : post-suid-down capabilities: =ep Info : Ready to process requests Debug : tacacs - [1] - Connection changed state CONNECTING -> CONNECTED Debug : tacacs - [1] - Connection established Debug : tacacs - [1] Trunk connection changed state CONNECTING -> ACTIVE
but I didn't see FreeRadius server listen port 1812 before I use tacacs module, my radiusd could print logs as below: Listening on auth address 10.76.xx.xx port 1812 Listening on auth address 169.254.195.0 port 1812 Listening on auth address 127.0.0.1 port 1812 Listening on auth address ::1 port 1812 Listening on command file /var/opt/run/radiusd.sock but with talacs module, no such log, so my login to shell failed due to request not send to radiusd port 1812
my request flow is : login to Shell to one server which running FreeRadius with rlm_tacacs module, the username/password will send to FreeRadius via port 1812, and radiusd will send request to remote Tacacs server which configed in tacacs module, my example is 10.76.x.x with port 49 from log seems virtual server could connect the remote tacacs serve with port 49, but can't receive auth request from port 1812, what is the problem here? thanks, Bryan
On Thu, Apr 24, 2025 at 9:46 AM bryan xiang <bryanxiang82@gmail.com> wrote:
Thank you Alan for the quick response, glad to know you can reproduce it in local When the master branch will include your code? after you fix it, you could see below log in your local? Listening on auth address xx.xx.xx.xx port 1812 Listening on auth address 169.254.195.0 port 1812 Listening on auth address 127.0.0.1 port 1812 Listening on auth address ::1 port 1812 Listening on command file /var/opt/run/radiusd.sock Ready to process requests
thanks, Bryan
On Wed, Apr 23, 2025 at 11:47 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 23, 2025, at 10:34 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
I use the latest FreeRadius 4.0 from github and I only use the rlm_tacacs module build in FreeRadius
I don't think that module is included in the testing framework. It hasn't really seen any code changes in a while.
When I try to start the radiusd daemon with -X, I encounter one segV error, and start option with -XC has no problem for configuration ... Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" CAUGHT SIGNAL: Segmentation fault Backtrace of last 11 frames: /opt/LU3P/lib64/libfreeradius-util.so(+0x32fc9)[0x7f2d3e4e3fc9] /opt/LU3P/lib64/libfreeradius-util.so(fr_fault+0x75)[0x7f2d3e4e4465] /lib64/libpthread.so.0(+0x12d10)[0x7f2d3c454d10] /opt/LU3P/lib64/rlm_tacacs_tcp.so(+0x266f)[0x7f2d339f266f]
/opt/LU3P/lib64/libfreeradius-server.so(module_thread_instantiate+0xda)[0x7f2d3dff1e3a]
/opt/LU3P/lib64/libfreeradius-server.so(modules_thread_instantiate+0x65)[0x7f2d3dff2045]
/opt/LU3P/sbin/radiusd[0x4056d1]
/opt/LU3P/lib64/libfreeradius-io.so(fr_schedule_create+0x126)[0x7f2d3dae4d16]
/opt/LU3P/sbin/radiusd(main+0xdff)[0x404bcf] /lib64/libc.so.6(__libc_start_main+0xe5)[0x7f2d3bd5a7e5] /opt/LU3P/sbin/radiusd(_start+0x2e)[0x40533e] No panic action set
Oops. :( When I try it locally, I see it crash, too.
I've pushed a patch which makes it not crash. But I haven't tested the actual TACACS+ functionality.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html