Thank you Alan for your detailed explanation Yes, last time's config has some change, so I changed back to the previous version configuration and set parent.control.Auth-Type in subrequest, then it finally working, thanks so much! Right, one thing for my last config, is it one bug or enhance if set Auth-Type like below manner? recv Access-Request { if (User-Name =~ /^testuser1$/) { control.Auth-Type := ::TACACS } authenticate TACACS { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name #User-Password := parent.request.User-Password Data := parent.request.User-Password Packet.Version-Major := 0xC # or "Plus" if using VALUE mapping Packet.Version-Minor := 0x1 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := parent.request.Acct-Session-Id Packet.Length := 0 Authentication-Type := "PAP" Action := "Login" Authentication-Service := "Login" tacacs if (&reply.Authentication-Status == "Pass") { parent.control.Auth-Type := "Accept" } } } with this config, even I set parent.control.Auth-Type in subrequest, login with right/wrong password, all get Authenticated success because the subrequest return ok seems so regards, Bryan On Mon, Apr 28, 2025 at 10:16 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 28, 2025, at 9:39 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
OK, I see When the child request has finished execution, it is freed but if I can't set it in subrequest, I can't get the attribute: Authentication-Status result from reply so, here the only way I can count on is the tacacs module return code(always return ok regardless auth success/fail)
You can set "parent.control.Auth-Type" inside of the subrequest.
My concern here is that the approach I see you taking is largely to make random changes. This is pretty much guaranteed to not make progress.
Instead, of you understand how things work, it's much easier to see what needs to be done. i.e. If there is a relationship between a parent and child request, then you can reference the parent from the child. But after the child has returned, you cannot reference the child from the parent.
since you are working on the return code of tacacs module, seems this is the only way to decide the auth success or not because Reply attribute in subrequest can't be reused after the subrequest finish execution, the parent can't rely on the Auth-type setting in subrequest.
The child can do:
parent.control.Auth_Type := Accept
At this point, I think I can't answer any more questions. I've pointed you to the documentation, and how to get things done. Unless you report a bug, I'll have to ask you to go through the documentation and follow what it says.
I can't continue to summarize the documentation in emails to this list. Everything I'm saying is in the documentation.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html