Yes, I am checking the examples and find one like below: recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name #User-Password := parent.request.User-Password Data := parent.request.User-Password Packet.Version-Major := 0xC # or "Plus" if using VALUE mapping Packet.Version-Minor := 0x1 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := parent.request.Acct-Session-Id Packet.Length := 0 Authentication-Type := "PAP" Action := "Login" Authentication-Service := "Login" tacacs } * if (ok) { control.Auth-Type := "Accept" }* } but even the auth fail in tacacs module, the tacacs module still return ok, so the module can catch the auth fail and reply module not ok right? Debug : (1.0) tacacs - Packet { Debug : (1.0) tacacs - Version-Major = Plus Debug : (1.0) tacacs - Version-Minor = 1 Debug : (1.0) tacacs - Packet-Type = Authentication Debug : (1.0) tacacs - Sequence-Number = 2 Debug : (1.0) tacacs - Flags = None Debug : (1.0) tacacs - Session-Id = 2035888093 Debug : (1.0) tacacs - Length = 6 Debug : (1.0) tacacs - } Debug : (1.0) tacacs - Packet-Body-Type = Reply Debug : (1.0) tacacs - Authentication-Status = Fail Debug : (1.0) tacacs - Authentication-Flags = 0 Debug : (1.0) tacacs - Server-Message = "" Debug : (1.0) tacacs - Data = 0x Debug : (1.0) tacacs - tacacs - Resuming execution Debug : (1.0) *tacacs (ok)* Debug : (1) subrequest @tacacs::Authentication-Start - Resuming execution Debug : (1) } # subrequest @tacacs:*:Authentication-Start (ok)* Debug : (1) if (ok) { Debug : (1) | ok Debug : (1) | %expr.rcode() Debug : (1) | --> true Debug : (1) control.Auth-Type := Accept Debug : (1) } # if (ok) (noop) Debug : (1) } # recv Access-Request (ok) Debug : (1) default (ok) Debug : (1) } # default (ok) Debug : (1) Done request On Sat, Apr 26, 2025 at 11:25 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 26, 2025, at 11:23 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
If I hardcode at the end of the Access-Request, it could pass, but how Can I add condition to check if tacacs return ok or not and then do the Auth-Type?
The "default" virtual server has examples of setting Auth-Type.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html