Start FreeRadius 4.0 with rlm_tacacs failed due to segV error
Hi Experts: I use the latest FreeRadius 4.0 from github and I only use the rlm_tacacs module build in FreeRadius I would like to use FreeRadius forward auth request to remote TACACS server like Cicso ISE using the rlm_tacacs module why I use FreeRadius tacacs module is currently all my authenticate request will go to FreeRadius 1812 port and we have a new request that the local server should send authenticate request to remote TACACS server, so I would like to use rlm_tacacs module to do this work I downloaded the zip package from github and build in local, the src/modules/stable file only contain the rlm_tacacs module, build has no problem and I replaced the radiusd and all dependent so files to server side. When I try to start the radiusd daemon with -X, I encounter one segV error, and start option with -XC has no problem for configuration The config file for modules like: # cat modules/tacacs #modules { tacacs { transport = tcp type = Authentication-Start type = Authentication-Continue type = Authorization-Request type = Accounting-Request tcp { ipaddr = 10.76.xx.xx port = 49 secret = testkey123 } pool { start = 1 min = 1 max = 1 } #} } and the virtual server config like below, not sure this config will forward the auth request to tacacs module as above IP and port: # # Does nothing other than send packets. It doesn't listen on any input sockets. # server default { namespace = tacacs listen { type = Authentication-Start type = Authentication-Continue type = Authorization-Request type = Accounting-Request } recv Authentication-Start { tacacs } recv Authentication-Continue { tacacs } recv Authorization-Request { tacacs } recv Accounting-Request { tacacs } } below is the output for radiusd with -X option Info : Copyright 1999-2024 The FreeRADIUS server project and contributors Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Info : PARTICULAR PURPOSE Info : You may redistribute copies of FreeRADIUS under the terms of the Info : GNU General Public License Info : For more information about these matters, see the file named COPYRIGHT Info : Starting - reading configuration files ... Debug : including configuration file /etc/opt/LU3Pfreeradius-server/radiusd.conf Debug : including configuration file /etc/opt/LU3Pfreeradius-server/clients.conf Debug : Including files in directory "/etc/opt/LU3Pfreeradius-server/modules/" Debug : including configuration file /etc/opt/LU3Pfreeradius-server/modules/tacacs Debug : including configuration file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config Debug : Loaded module process_tacacs Debug : Parsing initial logging configuration. Debug : main { Debug : prefix = /opt/LU3P Debug : log { Debug : destination = files Debug : syslog_facility = daemon Debug : local_state_dir = "/opt/LU3P/var" Debug : logdir = "/opt/LU3P/var/log" Debug : file = /var/opt/log/freeradius-server/radius.log Debug : suppress_secrets = no Debug : } Debug : } Debug : Parsing security rules to bootstrap UID / GID / chroot / etc. Debug : main { Debug : log { Debug : } Debug : security { Debug : allow_core_dumps = no Debug : allow_vulnerable_openssl = "no" Debug : } Debug : name = radiusd Debug : local_state_dir = "/opt/LU3P/var" Debug : run_dir = /var/opt/run Debug : } Debug : Parsing main configuration Debug : main { Debug : server default { Debug : namespace = tacacs Debug : tacacs { Debug : Authentication { Debug : session { Debug : timeout = 15 Debug : max = 4096 Debug : max_rounds = 4 Debug : } Debug : } Debug : } Debug : Loaded module proto_tacacs Debug : listen { Debug : type = Authentication-Start Debug : type = Authentication-Continue Debug : type = Authorization-Request Debug : type = Accounting-Request Debug : limit { Debug : idle_timeout = 30.0 Debug : max_connections = 1024 Debug : } Debug : priority { Debug : Authentication-Start = high Debug : Authentication-Continue = high Debug : Authorization-Request = normal Debug : Accounting-Request = low Debug : } Debug : } Debug : } Debug : log { Debug : } Debug : security { Debug : } Debug : sbin_dir = "/opt/LU3P/sbin" Debug : logdir = /var/opt/log/freeradius-server Debug : radacctdir = /var/opt/log/freeradius-server/radacct Debug : reverse_lookups = no Debug : hostname_lookups = no Debug : max_request_time = 30 Debug : pidfile = /var/opt/run/radiusd.pid Debug : debug_level = 0 Debug : max_requests = 1024 Debug : resources { Debug : } Debug : thread pool { Debug : num_networks = 1 Info : Dynamically determined thread.workers = 2 Debug : num_workers = 2 Debug : } Debug : migrate { Debug : } Debug : } Info : Switching to configured log settings Debug : radiusd: #### Loading Clients #### Debug : client 127.0.0.1 { Debug : ipaddr = 127.0.0.1 Debug : secret = <<< secret >>> Debug : shortname = sig03-oam-b Debug : require_message_authenticator = no Debug : limit_proxy_state = auto Debug : limit { Debug : max_connections = 16 Debug : lifetime = 0 Debug : idle_timeout = 30s Debug : } Debug : } Debug : client 169.254.64.0/20 { Debug : ipaddr = 169.254.64.0/20 Debug : secret = <<< secret >>> Debug : shortname = sig03-oam-b Debug : require_message_authenticator = no Debug : limit_proxy_state = auto Debug : limit { Debug : max_connections = 16 Debug : lifetime = 0 Debug : idle_timeout = 30s Debug : } Debug : } Debug : client 169.254.128.0/17 { Debug : ipaddr = 169.254.128.0/17 Debug : secret = <<< secret >>> Debug : shortname = sig03-oam-b Debug : require_message_authenticator = no Debug : limit_proxy_state = auto Debug : limit { Debug : max_connections = 16 Debug : lifetime = 0 Debug : idle_timeout = 30s Debug : } Debug : } Info : Debugger not attached Info : Configuration version: 1F5FA0A8-6BD9-4091-B482-B90249BB93BD Info : systemd watchdog is disabled Info : pre-suid-down capabilities: =ep *Error : _tmpl_global_init: Autoloader attribute "Packet-Type" not found in "RADIUS" dictionary* Warn : trigger { ... } subsection not found, triggers will be disabled Debug : #### Instantiating libraries #### Debug : #### Bootstrapping process modules #### Debug : Bootstrapping process_tacacs "default" Debug : #### Bootstrapping protocol modules #### Debug : #### Instantiating libraries #### Debug : #### Bootstrapping static modules #### Debug : modules { Debug : static { Debug : Loaded module rlm_tacacs Debug : tacacs { Debug : transport = tcp Debug : Loaded module rlm_tacacs_tcp Debug : tcp { Debug : ipaddr = 10.76.xx.xx Debug : port = 49 Debug : secret = testkey123 Debug : max_packet_size = 4096 Debug : max_send_coalesce = 1024 Debug : } Debug : type = Authentication-Start Debug : type = Authentication-Continue Debug : type = Authorization-Request Debug : type = Accounting-Request Debug : max_attributes = 255 Debug : response_window = 20 Debug : zombie_period = 40 Debug : pool { Debug : start = 1 Debug : min = 1 Debug : max = 1 Debug : connecting = 2 Debug : uses = 0 Debug : lifetime = 0 Debug : idle_timeout = 0 Debug : open_delay = 0.2 Debug : close_delay = 10.0 Debug : manage_interval = 0.2 Debug : max_backlog = 1000 Debug : connection { Debug : connect_timeout = 3.0 Debug : reconnect_delay = 1 Debug : } Debug : request { Debug : per_connection_max = 2000 Debug : per_connection_target = 1000 Debug : free_delay = 10.0 Debug : } Debug : } Debug : retry { Debug : initial_rtx_time = 2 Debug : max_rtx_time = 16 Debug : max_rtx_count = 5 Debug : max_rtx_duration = 30 Debug : } Debug : } Debug : } # static Debug : #### Bootstrapping rlm modules #### Debug : Including dictionary file "/etc/opt/LU3Pfreeradius-server/dictionary" Debug : #### Instantiating listeners #### Debug : Compiling policies in server default { ... } Debug : Compiling policies in - recv Authentication-Start {...} Debug : Compiling policies in - recv Authentication-Continue {...} Debug : Compiling policies in - recv Authorization-Request {...} Debug : Compiling policies in - recv Accounting-Request {...} Warn :* tacacs { ... } section is unused* Debug : #### Instantiating process modules #### Debug : Instantiating process_tacacs "default" Debug : #### Instantiating protocol modules #### Debug : Instantiating proto_tacacs "default.tacacs.generic" Debug : #### Instantiating rlm modules #### Debug : Instantiating rlm_tacacs "tacacs" Warn : Ignoring "trunk.per_connection_max = 2000", forcing to "trunk.per_connection_max = 255" Warn : Ignoring "trunk.per_connection_target = 1000", forcing to "trunk.per_connection_target = 127" Warn : Ignoring "revive_interval = 0", forcing to "revive_interval = 10" Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" CAUGHT SIGNAL: Segmentation fault Backtrace of last 11 frames: /opt/LU3P/lib64/libfreeradius-util.so(+0x32fc9)[0x7f2d3e4e3fc9] /opt/LU3P/lib64/libfreeradius-util.so(fr_fault+0x75)[0x7f2d3e4e4465] /lib64/libpthread.so.0(+0x12d10)[0x7f2d3c454d10] /opt/LU3P/lib64/rlm_tacacs_tcp.so(+0x266f)[0x7f2d339f266f] /opt/LU3P/lib64/libfreeradius-server.so(module_thread_instantiate+0xda)[0x7f2d3dff1e3a] /opt/LU3P/lib64/libfreeradius-server.so(modules_thread_instantiate+0x65)[0x7f2d3dff2045] /opt/LU3P/sbin/radiusd[0x4056d1] /opt/LU3P/lib64/libfreeradius-io.so(fr_schedule_create+0x126)[0x7f2d3dae4d16] /opt/LU3P/sbin/radiusd(main+0xdff)[0x404bcf] /lib64/libc.so.6(__libc_start_main+0xe5)[0x7f2d3bd5a7e5] /opt/LU3P/sbin/radiusd(_start+0x2e)[0x40533e] No panic action set regards, Bryan
On Apr 23, 2025, at 10:34 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
I use the latest FreeRadius 4.0 from github and I only use the rlm_tacacs module build in FreeRadius
I don't think that module is included in the testing framework. It hasn't really seen any code changes in a while.
When I try to start the radiusd daemon with -X, I encounter one segV error, and start option with -XC has no problem for configuration ... Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" CAUGHT SIGNAL: Segmentation fault Backtrace of last 11 frames: /opt/LU3P/lib64/libfreeradius-util.so(+0x32fc9)[0x7f2d3e4e3fc9] /opt/LU3P/lib64/libfreeradius-util.so(fr_fault+0x75)[0x7f2d3e4e4465] /lib64/libpthread.so.0(+0x12d10)[0x7f2d3c454d10] /opt/LU3P/lib64/rlm_tacacs_tcp.so(+0x266f)[0x7f2d339f266f] /opt/LU3P/lib64/libfreeradius-server.so(module_thread_instantiate+0xda)[0x7f2d3dff1e3a] /opt/LU3P/lib64/libfreeradius-server.so(modules_thread_instantiate+0x65)[0x7f2d3dff2045] /opt/LU3P/sbin/radiusd[0x4056d1] /opt/LU3P/lib64/libfreeradius-io.so(fr_schedule_create+0x126)[0x7f2d3dae4d16] /opt/LU3P/sbin/radiusd(main+0xdff)[0x404bcf] /lib64/libc.so.6(__libc_start_main+0xe5)[0x7f2d3bd5a7e5] /opt/LU3P/sbin/radiusd(_start+0x2e)[0x40533e] No panic action set
Oops. :( When I try it locally, I see it crash, too. I've pushed a patch which makes it not crash. But I haven't tested the actual TACACS+ functionality. Alan DeKok.
Thank you Alan for the quick response, glad to know you can reproduce it in local When the master branch will include your code? after you fix it, you could see below log in your local? Listening on auth address xx.xx.xx.xx port 1812 Listening on auth address 169.254.195.0 port 1812 Listening on auth address 127.0.0.1 port 1812 Listening on auth address ::1 port 1812 Listening on command file /var/opt/run/radiusd.sock Ready to process requests thanks, Bryan On Wed, Apr 23, 2025 at 11:47 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 23, 2025, at 10:34 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
I use the latest FreeRadius 4.0 from github and I only use the rlm_tacacs module build in FreeRadius
I don't think that module is included in the testing framework. It hasn't really seen any code changes in a while.
When I try to start the radiusd daemon with -X, I encounter one segV error, and start option with -XC has no problem for configuration ... Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" CAUGHT SIGNAL: Segmentation fault Backtrace of last 11 frames: /opt/LU3P/lib64/libfreeradius-util.so(+0x32fc9)[0x7f2d3e4e3fc9] /opt/LU3P/lib64/libfreeradius-util.so(fr_fault+0x75)[0x7f2d3e4e4465] /lib64/libpthread.so.0(+0x12d10)[0x7f2d3c454d10] /opt/LU3P/lib64/rlm_tacacs_tcp.so(+0x266f)[0x7f2d339f266f]
/opt/LU3P/lib64/libfreeradius-server.so(module_thread_instantiate+0xda)[0x7f2d3dff1e3a]
/opt/LU3P/lib64/libfreeradius-server.so(modules_thread_instantiate+0x65)[0x7f2d3dff2045]
/opt/LU3P/sbin/radiusd[0x4056d1]
/opt/LU3P/lib64/libfreeradius-io.so(fr_schedule_create+0x126)[0x7f2d3dae4d16]
/opt/LU3P/sbin/radiusd(main+0xdff)[0x404bcf] /lib64/libc.so.6(__libc_start_main+0xe5)[0x7f2d3bd5a7e5] /opt/LU3P/sbin/radiusd(_start+0x2e)[0x40533e] No panic action set
Oops. :( When I try it locally, I see it crash, too.
I've pushed a patch which makes it not crash. But I haven't tested the actual TACACS+ functionality.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I just see your patch fix, I use your patch load and rebuild again This time no crash, and I can see log like: Debug : Instantiating rlm_tacacs "tacacs" Warn : Ignoring "trunk.per_connection_max = 2000", forcing to "trunk.per_connection_max = 255" Warn : Ignoring "trunk.per_connection_target = 1000", forcing to "trunk.per_connection_target = 127" Warn : Ignoring "revive_interval = 0", forcing to "revive_interval = 10" Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" Debug : tacacs - [0] Starting initial connection Debug : tacacs - [1] - Signalled to start from HALTED state Debug : tacacs - [1] - Connection changed state HALTED -> INIT Debug : tacacs - [1] Trunk connection changed state HALTED -> INIT Debug : tacacs - [1] - Connection changed state INIT -> CONNECTING Info : tacacs - [1] Trunk connection changed state INIT -> CONNECTING Debug : Scheduler created in single-threaded mode Debug : #### Opening listener interfaces #### Info : post-suid-down capabilities: =ep Info : Ready to process requests Debug : tacacs - [1] - Connection changed state CONNECTING -> CONNECTED Debug : tacacs - [1] - Connection established Debug : tacacs - [1] Trunk connection changed state CONNECTING -> ACTIVE but I didn't see FreeRadius server listen port 1812 before I use tacacs module, my radiusd could print logs as below: Listening on auth address 10.76.xx.xx port 1812 Listening on auth address 169.254.195.0 port 1812 Listening on auth address 127.0.0.1 port 1812 Listening on auth address ::1 port 1812 Listening on command file /var/opt/run/radiusd.sock but with talacs module, no such log, so my login to shell failed due to request not send to radiusd port 1812 my request flow is : login to Shell to one server which running FreeRadius with rlm_tacacs module, the username/password will send to FreeRadius via port 1812, and radiusd will send request to remote Tacacs server which configed in tacacs module, my example is 10.76.x.x with port 49 from log seems virtual server could connect the remote tacacs serve with port 49, but can't receive auth request from port 1812, what is the problem here? thanks, Bryan On Thu, Apr 24, 2025 at 9:46 AM bryan xiang <bryanxiang82@gmail.com> wrote:
Thank you Alan for the quick response, glad to know you can reproduce it in local When the master branch will include your code? after you fix it, you could see below log in your local? Listening on auth address xx.xx.xx.xx port 1812 Listening on auth address 169.254.195.0 port 1812 Listening on auth address 127.0.0.1 port 1812 Listening on auth address ::1 port 1812 Listening on command file /var/opt/run/radiusd.sock Ready to process requests
thanks, Bryan
On Wed, Apr 23, 2025 at 11:47 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 23, 2025, at 10:34 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
I use the latest FreeRadius 4.0 from github and I only use the rlm_tacacs module build in FreeRadius
I don't think that module is included in the testing framework. It hasn't really seen any code changes in a while.
When I try to start the radiusd daemon with -X, I encounter one segV error, and start option with -XC has no problem for configuration ... Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" CAUGHT SIGNAL: Segmentation fault Backtrace of last 11 frames: /opt/LU3P/lib64/libfreeradius-util.so(+0x32fc9)[0x7f2d3e4e3fc9] /opt/LU3P/lib64/libfreeradius-util.so(fr_fault+0x75)[0x7f2d3e4e4465] /lib64/libpthread.so.0(+0x12d10)[0x7f2d3c454d10] /opt/LU3P/lib64/rlm_tacacs_tcp.so(+0x266f)[0x7f2d339f266f]
/opt/LU3P/lib64/libfreeradius-server.so(module_thread_instantiate+0xda)[0x7f2d3dff1e3a]
/opt/LU3P/lib64/libfreeradius-server.so(modules_thread_instantiate+0x65)[0x7f2d3dff2045]
/opt/LU3P/sbin/radiusd[0x4056d1]
/opt/LU3P/lib64/libfreeradius-io.so(fr_schedule_create+0x126)[0x7f2d3dae4d16]
/opt/LU3P/sbin/radiusd(main+0xdff)[0x404bcf] /lib64/libc.so.6(__libc_start_main+0xe5)[0x7f2d3bd5a7e5] /opt/LU3P/sbin/radiusd(_start+0x2e)[0x40533e] No panic action set
Oops. :( When I try it locally, I see it crash, too.
I've pushed a patch which makes it not crash. But I haven't tested the actual TACACS+ functionality.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Apr 24, 2025 at 2:35 AM bryan xiang <bryanxiang82@gmail.com> wrote:
I just see your patch fix, I use your patch load and rebuild again This time no crash, and I can see log like: Debug : Instantiating rlm_tacacs "tacacs" Warn : Ignoring "trunk.per_connection_max = 2000", forcing to "trunk.per_connection_max = 255" Warn : Ignoring "trunk.per_connection_target = 1000", forcing to "trunk.per_connection_target = 127" Warn : Ignoring "revive_interval = 0", forcing to "revive_interval = 10" Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" Debug : tacacs - [0] Starting initial connection Debug : tacacs - [1] - Signalled to start from HALTED state Debug : tacacs - [1] - Connection changed state HALTED -> INIT Debug : tacacs - [1] Trunk connection changed state HALTED -> INIT Debug : tacacs - [1] - Connection changed state INIT -> CONNECTING Info : tacacs - [1] Trunk connection changed state INIT -> CONNECTING Debug : Scheduler created in single-threaded mode Debug : #### Opening listener interfaces #### Info : post-suid-down capabilities: =ep Info : Ready to process requests Debug : tacacs - [1] - Connection changed state CONNECTING -> CONNECTED Debug : tacacs - [1] - Connection established Debug : tacacs - [1] Trunk connection changed state CONNECTING -> ACTIVE
but I didn't see FreeRadius server listen port 1812 before I use tacacs module, my radiusd could print logs as below: Listening on auth address 10.76.xx.xx port 1812
You do not have to xx.xx a 10.0.0.0 network address. The 10 network is a private non-routable network and no one will be able to access it anyway. Listening on auth address 169.254.195.0 port 1812
Listening on auth address 127.0.0.1 port 1812 Listening on auth address ::1 port 1812 Listening on command file /var/opt/run/radiusd.sock but with talacs module, no such log, so my login to shell failed due to request not send to radiusd port 1812
my request flow is : login to Shell to one server which running FreeRadius with rlm_tacacs module, the username/password will send to FreeRadius via port 1812, and radiusd will send request to remote Tacacs server which configed in tacacs module, my example is 10.76.x.x with port 49 from log seems virtual server could connect the remote tacacs serve with port 49, but can't receive auth request from port 1812, what is the problem here? thanks, Bryan
On Thu, Apr 24, 2025 at 9:46 AM bryan xiang <bryanxiang82@gmail.com> wrote:
Thank you Alan for the quick response, glad to know you can reproduce it in local When the master branch will include your code? after you fix it, you could see below log in your local? Listening on auth address xx.xx.xx.xx port 1812 Listening on auth address 169.254.195.0 port 1812 Listening on auth address 127.0.0.1 port 1812 Listening on auth address ::1 port 1812 Listening on command file /var/opt/run/radiusd.sock Ready to process requests
thanks, Bryan
On Wed, Apr 23, 2025 at 11:47 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 23, 2025, at 10:34 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
I use the latest FreeRadius 4.0 from github and I only use the rlm_tacacs module build in FreeRadius
I don't think that module is included in the testing framework. It hasn't really seen any code changes in a while.
When I try to start the radiusd daemon with -X, I encounter one segV error, and start option with -XC has no problem for configuration ... Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" CAUGHT SIGNAL: Segmentation fault Backtrace of last 11 frames: /opt/LU3P/lib64/libfreeradius-util.so(+0x32fc9)[0x7f2d3e4e3fc9] /opt/LU3P/lib64/libfreeradius-util.so(fr_fault+0x75)[0x7f2d3e4e4465] /lib64/libpthread.so.0(+0x12d10)[0x7f2d3c454d10] /opt/LU3P/lib64/rlm_tacacs_tcp.so(+0x266f)[0x7f2d339f266f]
/opt/LU3P/lib64/libfreeradius-server.so(module_thread_instantiate+0xda)[0x7f2d3dff1e3a]
/opt/LU3P/lib64/libfreeradius-server.so(modules_thread_instantiate+0x65)[0x7f2d3dff2045]
/opt/LU3P/sbin/radiusd[0x4056d1]
/opt/LU3P/lib64/libfreeradius-io.so(fr_schedule_create+0x126)[0x7f2d3dae4d16]
/opt/LU3P/sbin/radiusd(main+0xdff)[0x404bcf] /lib64/libc.so.6(__libc_start_main+0xe5)[0x7f2d3bd5a7e5] /opt/LU3P/sbin/radiusd(_start+0x2e)[0x40533e] No panic action set
Oops. :( When I try it locally, I see it crash, too.
I've pushed a patch which makes it not crash. But I haven't tested the actual TACACS+ functionality.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄⠀⠀
I changed some virtual server side config and tried to logon with testuser1/testpass123, the error from tacacs is an encoding error. the config change for virtual server: # # Does nothing other than send packets. It doesn't listen to any input sockets. # server default { namespace = radius listen { type = Access-Request type = Status-Server transport = udp udp { ipaddr = 169.254.195.0 port = 1812 } } recv Access-Request { tacacs } } # /opt/LU3P/sbin/radiusd -X -d /etc/opt/LU3Pfreeradius-server Info : Copyright 1999-2024 The FreeRADIUS server project and contributors Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Info : PARTICULAR PURPOSE Info : You may redistribute copies of FreeRADIUS under the terms of the Info : GNU General Public License Info : For more information about these matters, see the file named COPYRIGHT Info : Starting - reading configuration files ... including configuration file /etc/opt/LU3Pfreeradius-server/radiusd.conf including configuration file /etc/opt/LU3Pfreeradius-server/clients.conf Including files in directory "/etc/opt/LU3Pfreeradius-server/modules/" including configuration file /etc/opt/LU3Pfreeradius-server/modules/tacacs including configuration file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config Loaded module process_radius Parsing initial logging configuration. main { prefix = /opt/LU3P log { destination = files syslog_facility = daemon local_state_dir = "/opt/LU3P/var" logdir = "/opt/LU3P/var/log" file = /var/opt/log/freeradius-server/radius.log suppress_secrets = no } } Parsing security rules to bootstrap UID / GID / chroot / etc. main { log { } security { allow_core_dumps = no allow_vulnerable_openssl = "no" } name = radiusd local_state_dir = "/opt/LU3P/var" run_dir = /var/opt/run } Parsing main configuration main { server default { namespace = radius radius { Access-Request { session { timeout = 15 max = 4096 } } } Loaded module proto_radius listen { type = Access-Request type = Status-Server transport = udp Loaded module proto_radius_udp udp { ipaddr = 169.254.195.0 port = 1812 networks { } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 5.0 idle_timeout = 30.0 nak_lifetime = 30.0 max_connections = 1024 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } log { ignored_clients = yes } require_message_authenticator = no limit_proxy_state = auto } } log { } security { } sbin_dir = "/opt/LU3P/sbin" logdir = /var/opt/log/freeradius-server radacctdir = /var/opt/log/freeradius-server/radacct reverse_lookups = no hostname_lookups = no max_request_time = 30 pidfile = /var/opt/run/radiusd.pid debug_level = 0 max_requests = 1024 resources { } thread pool { num_networks = 1 Dynamically determined thread.workers = 2 num_workers = 2 } migrate { } } Info : Switching to configured log settings Debug : radiusd: #### Loading Clients #### Debug : client 127.0.0.1 { Debug : ipaddr = 127.0.0.1 Debug : secret = <<< secret >>> Debug : shortname = sig03-oam-b Debug : require_message_authenticator = no Debug : limit_proxy_state = auto Debug : limit { Debug : max_connections = 16 Debug : lifetime = 0 Debug : idle_timeout = 30s Debug : } Debug : } Debug : client 169.254.64.0/20 { Debug : ipaddr = 169.254.64.0/20 Debug : secret = <<< secret >>> Debug : shortname = sig03-oam-b Debug : require_message_authenticator = no Debug : limit_proxy_state = auto Debug : limit { Debug : max_connections = 16 Debug : lifetime = 0 Debug : idle_timeout = 30s Debug : } Debug : } Debug : client 169.254.128.0/17 { Debug : ipaddr = 169.254.128.0/17 Debug : secret = <<< secret >>> Debug : shortname = sig03-oam-b Debug : require_message_authenticator = no Debug : limit_proxy_state = auto Debug : limit { Debug : max_connections = 16 Debug : lifetime = 0 Debug : idle_timeout = 30s Debug : } Debug : } Info : Debugger not attached Info : Configuration version: 2B68C42F-4537-400E-A66C-0DB8A9263333 Info : systemd watchdog is disabled Info : pre-suid-down capabilities: =ep Warn : trigger { ... } subsection not found, triggers will be disabled Debug : #### Instantiating libraries #### Debug : #### Bootstrapping process modules #### Debug : Bootstrapping process_radius "default" Debug : #### Bootstrapping protocol modules #### Debug : #### Instantiating libraries #### Debug : #### Bootstrapping static modules #### Debug : modules { Debug : static { Debug : Loaded module rlm_tacacs Debug : tacacs { Debug : transport = tcp Debug : Loaded module rlm_tacacs_tcp Debug : tcp { Debug : ipaddr = 10.76.89.50 Debug : port = 49 Debug : secret = testkey123 Debug : max_packet_size = 4096 Debug : max_send_coalesce = 1024 Debug : } Debug : type = Authentication-Start Debug : type = Authentication-Continue Debug : type = Authorization-Request Debug : type = Accounting-Request Debug : max_attributes = 255 Debug : response_window = 20 Debug : zombie_period = 40 Debug : pool { Debug : start = 1 Debug : min = 1 Debug : max = 1 Debug : connecting = 2 Debug : uses = 0 Debug : lifetime = 0 Debug : idle_timeout = 0 Debug : open_delay = 0.2 Debug : close_delay = 10.0 Debug : manage_interval = 0.2 Debug : max_backlog = 1000 Debug : connection { Debug : connect_timeout = 3.0 Debug : reconnect_delay = 1 Debug : } Debug : request { Debug : per_connection_max = 2000 Debug : per_connection_target = 1000 Debug : free_delay = 10.0 Debug : } Debug : } Debug : retry { Debug : initial_rtx_time = 2 Debug : max_rtx_time = 16 Debug : max_rtx_count = 5 Debug : max_rtx_duration = 30 Debug : } Debug : } Debug : } # static Debug : #### Bootstrapping rlm modules #### Debug : Including dictionary file "/etc/opt/LU3Pfreeradius-server/dictionary" Debug : #### Instantiating listeners #### Debug : Compiling policies in server default { ... } Debug : Compiling policies in - recv Access-Request {...} Warn : radius { ... } section is unused Debug : #### Instantiating process modules #### Debug : Instantiating process_radius "default" Debug : #### Instantiating protocol modules #### Debug : Instantiating proto_radius "default.radius.udp" Debug : Instantiating proto_radius_udp "default.radius.udp.udp" Debug : #### Instantiating rlm modules #### Debug : Instantiating rlm_tacacs "tacacs" Warn : Ignoring "trunk.per_connection_max = 2000", forcing to "trunk.per_connection_max = 255" Warn : Ignoring "trunk.per_connection_target = 1000", forcing to "trunk.per_connection_target = 127" Warn : Ignoring "revive_interval = 0", forcing to "revive_interval = 10" Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" Debug : tacacs - [0] Starting initial connection Debug : tacacs - [1] - Signalled to start from HALTED state Debug : tacacs - [1] - Connection changed state HALTED -> INIT Debug : tacacs - [1] Trunk connection changed state HALTED -> INIT Debug : tacacs - [1] - Connection changed state INIT -> CONNECTING Info : tacacs - [1] Trunk connection changed state INIT -> CONNECTING Debug : Scheduler created in single-threaded mode Debug : #### Opening listener interfaces #### Debug : Listening on radius_udp server 169.254.195.0 port 1812 bound to virtual server default Info : post-suid-down capabilities: =ep Info : Ready to process requests Debug : tacacs - [1] - Connection changed state CONNECTING -> CONNECTED Debug : tacacs - [1] - Connection established Debug : tacacs - [1] Trunk connection changed state CONNECTING -> ACTIVE Debug : proto_radius_udp - Received Access-Request ID 71 length 98 radius_udp server 169.254.195.0 port 1812 ERROR : (0) ERROR: Packet from 169.254.128.0/17 (sig03-oam-b) did not contain Message-Authenticator: ERROR : (0) ERROR: - Upgrade the client, as your network is vulnerable to the BlastRADIUS attack. ERROR : (0) ERROR: - Then set 'require_message_authenticator = yes' in the client definition Info : (0) First packet from 169.254.128.0/17 (sig03-oam-b) did not contain Proxy-State. Setting "limit_proxy_state = yes" Debug : Worker - Resetting cleanup timer to +30 Debug : (0) default { Debug : (0) Received Access-Request ID 71 from 169.254.131.1:40407 to 169.254.195.0:1812 via int0 Debug : (0) Module-Failure-Message = "- Then set 'require_message_authenticator = yes' in the client definition" Debug : (0) Module-Failure-Message = "- Upgrade the client, as your network is vulnerable to the BlastRADIUS attack." Debug : (0) Module-Failure-Message = "Packet from 169.254.128.0/17 (sig03-oam-b) did not contain Message-Authenticator:" Debug : (0) * User-Name = "testuser1"* Debug : (0) NAS-Identifier = "LCP_CLI" Debug : (0) Service-Type = Authenticate-Only Debug : (0) Calling-Station-Id = "10.242.131.105" Debug : (0) NAS-IP-Address = 169.254.65.1 Debug : (0) NAS-Port = 1345666 Debug : (0) NAS-Port-Type = Virtual Debug : (0) User-Password =* "testpass123"* Debug : (0) Net { Debug : (0) Src { Debug : (0) IP = 169.254.131.1 Debug : (0) Port = 40407 Debug : (0) } Debug : (0) Dst { Debug : (0) IP = 169.254.195.0 Debug : (0) Port = 1812 Debug : (0) } Debug : (0) Timestamp = "2025-04-24T09:08:10Z" Debug : (0) } Debug : (0) Packet-Type = Access-Request Debug : (0) Running 'recv Access-Request' from file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config Debug : (0) recv Access-Request { Debug : (0) tacacs - tacacs - [1] Trunk connection assigned request 1 Debug : (0) tacacs - Sending Authentication-Start ID 1 length 0 over connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 ERROR : (0) tacacs - ERROR: Failed encoding packet: fr_tacacs_encode*: Failed encoding Packet using fr_struct_to_network()* Debug : (0) tacacs - tacacs - Resuming execution Debug : (0) tacacs (fail) Debug : (0) } # recv Access-Request (fail) Debug : (0) The 'recv Access-Request' section returned fail - rejecting the request Debug : (0) default (ok) Debug : (0) } # default (ok) Debug : (0) Done request Debug : (0) Sending Access-Reject ID 71 from 0.0.0.0/0:1812 to 169.254.131.1:40407 length 38 via socket radius_udp server 169.254.195.0 port 1812 Debug : (0) Packet-Type = Access-Reject Debug : (0) Finished request Debug : proto_radius_udp - cleaning up request in 5.000000s Debug : TIMER - proto_radius_udp - cleanup delay On Thu, Apr 24, 2025 at 2:34 PM bryan xiang <bryanxiang82@gmail.com> wrote:
I just see your patch fix, I use your patch load and rebuild again This time no crash, and I can see log like: Debug : Instantiating rlm_tacacs "tacacs" Warn : Ignoring "trunk.per_connection_max = 2000", forcing to "trunk.per_connection_max = 255" Warn : Ignoring "trunk.per_connection_target = 1000", forcing to "trunk.per_connection_target = 127" Warn : Ignoring "revive_interval = 0", forcing to "revive_interval = 10" Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" Debug : tacacs - [0] Starting initial connection Debug : tacacs - [1] - Signalled to start from HALTED state Debug : tacacs - [1] - Connection changed state HALTED -> INIT Debug : tacacs - [1] Trunk connection changed state HALTED -> INIT Debug : tacacs - [1] - Connection changed state INIT -> CONNECTING Info : tacacs - [1] Trunk connection changed state INIT -> CONNECTING Debug : Scheduler created in single-threaded mode Debug : #### Opening listener interfaces #### Info : post-suid-down capabilities: =ep Info : Ready to process requests Debug : tacacs - [1] - Connection changed state CONNECTING -> CONNECTED Debug : tacacs - [1] - Connection established Debug : tacacs - [1] Trunk connection changed state CONNECTING -> ACTIVE
but I didn't see FreeRadius server listen port 1812 before I use tacacs module, my radiusd could print logs as below: Listening on auth address 10.76.xx.xx port 1812 Listening on auth address 169.254.195.0 port 1812 Listening on auth address 127.0.0.1 port 1812 Listening on auth address ::1 port 1812 Listening on command file /var/opt/run/radiusd.sock but with talacs module, no such log, so my login to shell failed due to request not send to radiusd port 1812
my request flow is : login to Shell to one server which running FreeRadius with rlm_tacacs module, the username/password will send to FreeRadius via port 1812, and radiusd will send request to remote Tacacs server which configed in tacacs module, my example is 10.76.x.x with port 49 from log seems virtual server could connect the remote tacacs serve with port 49, but can't receive auth request from port 1812, what is the problem here? thanks, Bryan
On Thu, Apr 24, 2025 at 9:46 AM bryan xiang <bryanxiang82@gmail.com> wrote:
Thank you Alan for the quick response, glad to know you can reproduce it in local When the master branch will include your code? after you fix it, you could see below log in your local? Listening on auth address xx.xx.xx.xx port 1812 Listening on auth address 169.254.195.0 port 1812 Listening on auth address 127.0.0.1 port 1812 Listening on auth address ::1 port 1812 Listening on command file /var/opt/run/radiusd.sock Ready to process requests
thanks, Bryan
On Wed, Apr 23, 2025 at 11:47 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 23, 2025, at 10:34 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
I use the latest FreeRadius 4.0 from github and I only use the rlm_tacacs module build in FreeRadius
I don't think that module is included in the testing framework. It hasn't really seen any code changes in a while.
When I try to start the radiusd daemon with -X, I encounter one segV error, and start option with -XC has no problem for configuration ... Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp" CAUGHT SIGNAL: Segmentation fault Backtrace of last 11 frames: /opt/LU3P/lib64/libfreeradius-util.so(+0x32fc9)[0x7f2d3e4e3fc9] /opt/LU3P/lib64/libfreeradius-util.so(fr_fault+0x75)[0x7f2d3e4e4465] /lib64/libpthread.so.0(+0x12d10)[0x7f2d3c454d10] /opt/LU3P/lib64/rlm_tacacs_tcp.so(+0x266f)[0x7f2d339f266f]
/opt/LU3P/lib64/libfreeradius-server.so(module_thread_instantiate+0xda)[0x7f2d3dff1e3a]
/opt/LU3P/lib64/libfreeradius-server.so(modules_thread_instantiate+0x65)[0x7f2d3dff2045]
/opt/LU3P/sbin/radiusd[0x4056d1]
/opt/LU3P/lib64/libfreeradius-io.so(fr_schedule_create+0x126)[0x7f2d3dae4d16]
/opt/LU3P/sbin/radiusd(main+0xdff)[0x404bcf] /lib64/libc.so.6(__libc_start_main+0xe5)[0x7f2d3bd5a7e5] /opt/LU3P/sbin/radiusd(_start+0x2e)[0x40533e] No panic action set
Oops. :( When I try it locally, I see it crash, too.
I've pushed a patch which makes it not crash. But I haven't tested the actual TACACS+ functionality.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 24, 2025, at 5:12 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
I changed some virtual server side config and tried to logon with testuser1/testpass123, the error from tacacs is an encoding error.
Two things. First, you have to say what attributes are going into the TACACS+ packet. The server can't just invent things. Second, the rlm_tacacs module can only be run within a 'tacacs' namespace. This is one of the major differences between v3 and v4. If you want to receive a RADIUS Access-Request and then send a TACACS+ packet, you will have to change namespaces. See https://www.freeradius.org/documentation/freeradius-server/4.0.0/reference/u... recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Name := parent.request.User-Password ... fill in other attributes here, from dictionary/tacacs/* tacacs } You will have to edit this and double-check it, but the basic concepts are there. Alan DeKok.
Thank you Alan for the explanation that make sense to provide the attributes to TACACS+ when change protocol from Radius to TACACS+ so beside the username/password, I need below attribute right? DEFINE Packet struct MEMBER Version-Major bit[4] VALUE Version-Major Plus 12 MEMBER Version-Minor bit[4] MEMBER Packet-Type uint8 VALUE Packet-Type Authentication 1 VALUE Packet-Type Authorization 2 VALUE Packet-Type Accounting 3 MEMBER Sequence-Number uint8 MEMBER Flags uint8 VALUE Flags None 0 VALUE Flags Unencrypted 1 VALUE Flags Single-Connect 4 VALUE Flags Unencrypted-Single-Connect 5 MEMBER Session-Id uint32 MEMBER Length uint32 I can't assign the Packet-Type, even I use "Authentication" and 1, it will init the packet-type to 0 for the namespace issue, I firstly type namespace as tacacs in the virtual server, but seems it can't receive Radius request from port 1812, so I changed namespace from tacacs to radius, then the FreeRadius begin to listen the port 1812 do you mean in the modules/tacacs, I still need to specify the namespace as tacacs? On Thu, Apr 24, 2025 at 6:51 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 24, 2025, at 5:12 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
I changed some virtual server side config and tried to logon with testuser1/testpass123, the error from tacacs is an encoding error.
Two things. First, you have to say what attributes are going into the TACACS+ packet. The server can't just invent things.
Second, the rlm_tacacs module can only be run within a 'tacacs' namespace. This is one of the major differences between v3 and v4.
If you want to receive a RADIUS Access-Request and then send a TACACS+ packet, you will have to change namespaces. See https://www.freeradius.org/documentation/freeradius-server/4.0.0/reference/u...
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Name := parent.request.User-Password ... fill in other attributes here, from dictionary/tacacs/*
tacacs
}
You will have to edit this and double-check it, but the basic concepts are there.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 24, 2025, at 11:32 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
Thank you Alan for the explanation that make sense to provide the attributes to TACACS+ when change protocol from Radius to TACACS+ so beside the username/password, I need below attribute right?
Yes... those are the attributes included with the server, in the TACACS dictionary files. I'm aware of them.
I can't assign the Packet-Type, even I use "Authentication" and 1, it will init the packet-type to 0 for the namespace issue, I firstly type namespace as tacacs in the virtual server, but seems it can't receive Radius request from port 1812, so I changed namespace from tacacs to radius, then the FreeRadius begin to listen the port 1812 do you mean in the modules/tacacs, I still need to specify the namespace as tacacs?
What I said was to use the following configuration:
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Name := parent.request.User-Password ... fill in other attributes here, from dictionary/tacacs/*
tacacs
}
You will have to edit this and double-check it, but the basic concepts are there.
Instead of doing that, you're doing something else. Why? Alan DeKok.
Yes, I am doing the thing you suggested, I need to check how the Packet structure to Networks I can't assign the Packet-Type, even I use "Authentication" and 1, it will
init the packet-type to 0 Any guideline about how to assign value for the Struct type defined in dictionary?
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Password := parent.request.User-Password *Packet.Packet-Type := 1* tacacs } } On Fri, Apr 25, 2025 at 8:32 AM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 24, 2025, at 11:32 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
Thank you Alan for the explanation that make sense to provide the attributes to TACACS+ when change protocol from Radius to TACACS+ so beside the username/password, I need below attribute right?
Yes... those are the attributes included with the server, in the TACACS dictionary files. I'm aware of them.
I can't assign the Packet-Type, even I use "Authentication" and 1, it will init the packet-type to 0 for the namespace issue, I firstly type namespace as tacacs in the virtual server, but seems it can't receive Radius request from port 1812, so I changed namespace from tacacs to radius, then the FreeRadius begin to listen the port 1812 do you mean in the modules/tacacs, I still need to specify the namespace as tacacs?
What I said was to use the following configuration:
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Name := parent.request.User-Password ... fill in other attributes here, from dictionary/tacacs/*
tacacs
}
You will have to edit this and double-check it, but the basic concepts are there.
Instead of doing that, you're doing something else. Why?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I update my virtual server config as below, but seems request sendout failure server default { namespace = radius listen { type = Access-Request type = Status-Server transport = udp udp { ipaddr = 169.254.195.0 port = 1812 } } recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Password := parent.request.User-Password Packet.Version-Major := 0xC Packet.Version-Minor := 0x0 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := 12345678 Packet.Length := 0 tacacs } } } Debug : (0.0) tacacs - Sending Authentication-Start ID 31 length 29 over connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 Debug : (0.0) tacacs - Packet-Type = Authentication-Start Debug : (0.0) tacacs - User-Name = "testuser1" Debug : (0.0) tacacs - User-Password = "testpass123" Debug : (0.0) tacacs - Packet { Debug : (0.0) tacacs - Version-Major = Plus Debug : (0.0) tacacs - Version-Minor = 0 Debug : (0.0) tacacs - Packet-Type = Authentication Debug : (0.0) tacacs - Sequence-Number = 1 Debug : (0.0) tacacs - Flags = None Debug : (0.0) tacacs - Session-Id = 12345678 Debug : (0.0) tacacs - Length = 0 Debug : (0.0) tacacs - } ERROR : (0) ERROR: Request has reached max_request_time - signalling it to stop Debug : (0) Done request On Fri, Apr 25, 2025 at 9:24 AM bryan xiang <bryanxiang82@gmail.com> wrote:
Yes, I am doing the thing you suggested, I need to check how the Packet structure to Networks I can't assign the Packet-Type, even I use "Authentication" and 1, it will
init the packet-type to 0 Any guideline about how to assign value for the Struct type defined in dictionary?
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Password := parent.request.User-Password *Packet.Packet-Type := 1* tacacs }
}
On Fri, Apr 25, 2025 at 8:32 AM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 24, 2025, at 11:32 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
Thank you Alan for the explanation that make sense to provide the attributes to TACACS+ when change
protocol
from Radius to TACACS+ so beside the username/password, I need below attribute right?
Yes... those are the attributes included with the server, in the TACACS dictionary files. I'm aware of them.
I can't assign the Packet-Type, even I use "Authentication" and 1, it will init the packet-type to 0 for the namespace issue, I firstly type namespace as tacacs in the virtual server, but seems it can't receive Radius request from port 1812, so I changed namespace from tacacs to radius, then the FreeRadius begin to listen the port 1812 do you mean in the modules/tacacs, I still need to specify the namespace as tacacs?
What I said was to use the following configuration:
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Name := parent.request.User-Password ... fill in other attributes here, from dictionary/tacacs/*
tacacs
}
You will have to edit this and double-check it, but the basic concepts are there.
Instead of doing that, you're doing something else. Why?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Seems I got the reply error: Debug : (0.0) tacacs - Packet { Debug : (0.0) tacacs - Version-Major = Plus Debug : (0.0) tacacs - Version-Minor = 0 Debug : (0.0) tacacs - Packet-Type = Authentication Debug : (0.0) tacacs - Sequence-Number = 2 Debug : (0.0) tacacs - Flags = None Debug : (0.0) tacacs - Session-Id = 3666625090 Debug : (0.0) tacacs - Length = 49 Debug : (0.0) tacacs - } Debug : (0.0) tacacs - Packet-Body-Type = Reply Debug : (0.0) tacacs - Authentication-Status = Error Debug : (0.0) tacacs - Authentication-Flags = 0 Debug : (0.0) * tacacs - Server-Message = "10.76.89.51 : Invalid AUTHEN/START action=0"* Debug : (0.0) tacacs - Data = 0x Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 failed: No additional error information in virtual server config, after subrequest, this will call : tacacs module, the /module/tacacs config like: # cat /etc/opt/LU3Pfreeradius-server/modules/tacacs # modules { tacacs { transport = tcp type = Authentication-Start type = Authentication-Continue type = Authorization-Request type = Accounting-Request tcp { ipaddr = 10.76.89.50 port = 49 secret = testkey123 } pool { start = 1 min = 1 max = 1 } } # } On Fri, Apr 25, 2025 at 10:36 AM bryan xiang <bryanxiang82@gmail.com> wrote:
I update my virtual server config as below, but seems request sendout failure
server default { namespace = radius
listen { type = Access-Request type = Status-Server transport = udp udp { ipaddr = 169.254.195.0 port = 1812 } }
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Password := parent.request.User-Password Packet.Version-Major := 0xC Packet.Version-Minor := 0x0 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := 12345678 Packet.Length := 0
tacacs }
}
}
Debug : (0.0) tacacs - Sending Authentication-Start ID 31 length 29 over connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 Debug : (0.0) tacacs - Packet-Type = Authentication-Start Debug : (0.0) tacacs - User-Name = "testuser1" Debug : (0.0) tacacs - User-Password = "testpass123" Debug : (0.0) tacacs - Packet { Debug : (0.0) tacacs - Version-Major = Plus Debug : (0.0) tacacs - Version-Minor = 0 Debug : (0.0) tacacs - Packet-Type = Authentication Debug : (0.0) tacacs - Sequence-Number = 1 Debug : (0.0) tacacs - Flags = None Debug : (0.0) tacacs - Session-Id = 12345678 Debug : (0.0) tacacs - Length = 0 Debug : (0.0) tacacs - } ERROR : (0) ERROR: Request has reached max_request_time - signalling it to stop Debug : (0) Done request
On Fri, Apr 25, 2025 at 9:24 AM bryan xiang <bryanxiang82@gmail.com> wrote:
Yes, I am doing the thing you suggested, I need to check how the Packet structure to Networks I can't assign the Packet-Type, even I use "Authentication" and 1, it will
init the packet-type to 0 Any guideline about how to assign value for the Struct type defined in dictionary?
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Password := parent.request.User-Password *Packet.Packet-Type := 1* tacacs }
}
On Fri, Apr 25, 2025 at 8:32 AM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 24, 2025, at 11:32 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
Thank you Alan for the explanation that make sense to provide the attributes to TACACS+ when change
protocol
from Radius to TACACS+ so beside the username/password, I need below attribute right?
Yes... those are the attributes included with the server, in the TACACS dictionary files. I'm aware of them.
I can't assign the Packet-Type, even I use "Authentication" and 1, it will init the packet-type to 0 for the namespace issue, I firstly type namespace as tacacs in the virtual server, but seems it can't receive Radius request from port 1812, so I changed namespace from tacacs to radius, then the FreeRadius begin to listen the port 1812 do you mean in the modules/tacacs, I still need to specify the namespace as tacacs?
What I said was to use the following configuration:
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Name := parent.request.User-Password ... fill in other attributes here, from dictionary/tacacs/*
tacacs
}
You will have to edit this and double-check it, but the basic concepts are there.
Instead of doing that, you're doing something else. Why?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, I have some good progress, but still failed in last step, seems TACACS server already send pass to FreeRadius, but FreeRadius report one error and reject the request: Debug : (0) Packet-Type = Access-Request Debug : (0) Running 'recv Access-Request' from file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config Debug : (0) recv Access-Request { Debug : (0) subrequest @tacacs::Authentication-Start { Debug : (0.0) User-Name := "testuser1" Debug : (0.0) Data := "testpass123" Debug : (0.0) Packet.Version-Major := 12 Debug : (0.0) Packet.Version-Minor := 1 Debug : (0.0) Packet.Packet-Type := Authentication Debug : (0.0) Packet.Sequence-Number := 1 Debug : (0.0) Packet.Flags := None Debug : (0.0) Packet.Length := 0 Debug : (0.0) Authentication-Type := PAP Debug : (0.0) Action := LOGIN Debug : (0.0) Authentication-Service := LOGIN Debug : (0.0) tacacs - tacacs - [1] Trunk connection assigned request 1 Debug : (0.0) tacacs - Sending Authentication-Start ID 1 length 0 over connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 Debug : (0.0) tacacs - Packet-Type = Authentication-Start Debug : (0.0) tacacs - User-Name = "testuser1" Debug : (0.0) tacacs - Data = 0x7465737470617373313233 Debug : (0.0) tacacs - Packet { Debug : (0.0) tacacs - Version-Major = Plus Debug : (0.0) tacacs - Version-Minor = 1 Debug : (0.0) tacacs - Packet-Type = Authentication Debug : (0.0) tacacs - Sequence-Number = 1 Debug : (0.0) tacacs - Flags = None Debug : (0.0) tacacs - Session-Id = 2032895623 Debug : (0.0) tacacs - Length = 0 Debug : (0.0) tacacs - } Debug : (0.0) tacacs - Authentication-Type = PAP Debug : (0.0) tacacs - Action = LOGIN Debug : (0.0) tacacs - Authentication-Service = LOGIN Debug : (0.0) tacacs - Received Authentication-Pass ID 2 length 18 reply packet on connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 Debug : (0.0) tacacs - Packet { Debug : (0.0) tacacs - Version-Major = Plus Debug : (0.0) tacacs - Version-Minor = 1 Debug : (0.0) tacacs - Packet-Type = Authentication Debug : (0.0) tacacs - Sequence-Number = 2 Debug : (0.0) tacacs - Flags = None Debug : (0.0) tacacs - Session-Id = 2032895623 Debug : (0.0) tacacs - Length = 6 Debug : (0.0) tacacs - } Debug : (0.0) tacacs - Packet-Body-Type = Reply Debug : (0.0) tacacs - Authentication-Status = Pass Debug : (0.0) tacacs - Authentication-Flags = 0 Debug : (0.0) tacacs - Server-Message = "" Debug : (0.0) tacacs - Data = 0x Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 failed: No additional error information Debug : tacacs - [1] - Signalled to reconnect from CONNECTED state Debug : tacacs - [1] - Connection changed state CONNECTED -> FAILED Debug : tacacs - [1] - Connection changed state FAILED -> CLOSED Info : tacacs - [1] Trunk connection changed state ACTIVE -> CLOSED Debug : tacacs - Connection closed - proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 Debug : tacacs - [1] - Delaying reconnection by 1s Debug : (0.0) tacacs - tacacs - Resuming execution Debug : (0.0) tacacs (ok) Debug : (0) subrequest @tacacs::Authentication-Start - Resuming execution Debug : (0) } # subrequest @tacacs::Authentication-Start (ok) Debug : (0) } # recv Access-Request (ok) Debug : (0) No 'Auth-Type' attribute found, cannot authenticate the user - rejecting the request Debug : (0) default (ok) Debug : (0) } # default (ok) Debug : (0) Done request Debug : (0) Sending Access-Reject ID 83 from 0.0.0.0/0:1812 to 169.254.131.1:54808 length 38 via socket radius_udp server 169.254.195.0 port 1812 Debug : (0) * Packet-Type = Access-Reject* Debug : (0) Finished request virtual server config: # # Does nothing other than send packets. It doesn't listen on any input sockets. # server default { namespace = radius listen { type = Access-Request type = Status-Server transport = udp udp { ipaddr = 169.254.195.0 port = 1812 } } recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name #User-Password := parent.request.User-Password Data := parent.request.User-Password Packet.Version-Major := 0xC # or "Plus" if using VALUE mapping Packet.Version-Minor := 0x1 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := parent.request.Acct-Session-Id Packet.Length := 0 Authentication-Type := "PAP" Action := "Login" Authentication-Service := "Login" tacacs } } } seems the Radius can't identify the TACACS auth success or not or some other config needed such as &control.Auth-Type := &Authentication-Type On Fri, Apr 25, 2025 at 10:50 AM bryan xiang <bryanxiang82@gmail.com> wrote:
Seems I got the reply error:
Debug : (0.0) tacacs - Packet { Debug : (0.0) tacacs - Version-Major = Plus Debug : (0.0) tacacs - Version-Minor = 0 Debug : (0.0) tacacs - Packet-Type = Authentication Debug : (0.0) tacacs - Sequence-Number = 2 Debug : (0.0) tacacs - Flags = None Debug : (0.0) tacacs - Session-Id = 3666625090 Debug : (0.0) tacacs - Length = 49 Debug : (0.0) tacacs - } Debug : (0.0) tacacs - Packet-Body-Type = Reply Debug : (0.0) tacacs - Authentication-Status = Error Debug : (0.0) tacacs - Authentication-Flags = 0 Debug : (0.0) * tacacs - Server-Message = "10.76.89.51 : Invalid AUTHEN/START action=0"* Debug : (0.0) tacacs - Data = 0x Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 failed: No additional error information
in virtual server config, after subrequest, this will call : tacacs module, the /module/tacacs config like:
# cat /etc/opt/LU3Pfreeradius-server/modules/tacacs # modules { tacacs { transport = tcp type = Authentication-Start type = Authentication-Continue type = Authorization-Request type = Accounting-Request
tcp { ipaddr = 10.76.89.50 port = 49 secret = testkey123 }
pool { start = 1 min = 1 max = 1
} } # }
On Fri, Apr 25, 2025 at 10:36 AM bryan xiang <bryanxiang82@gmail.com> wrote:
I update my virtual server config as below, but seems request sendout failure
server default { namespace = radius
listen { type = Access-Request type = Status-Server transport = udp udp { ipaddr = 169.254.195.0 port = 1812 } }
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Password := parent.request.User-Password Packet.Version-Major := 0xC Packet.Version-Minor := 0x0 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := 12345678 Packet.Length := 0
tacacs }
}
}
Debug : (0.0) tacacs - Sending Authentication-Start ID 31 length 29 over connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 Debug : (0.0) tacacs - Packet-Type = Authentication-Start Debug : (0.0) tacacs - User-Name = "testuser1" Debug : (0.0) tacacs - User-Password = "testpass123" Debug : (0.0) tacacs - Packet { Debug : (0.0) tacacs - Version-Major = Plus Debug : (0.0) tacacs - Version-Minor = 0 Debug : (0.0) tacacs - Packet-Type = Authentication Debug : (0.0) tacacs - Sequence-Number = 1 Debug : (0.0) tacacs - Flags = None Debug : (0.0) tacacs - Session-Id = 12345678 Debug : (0.0) tacacs - Length = 0 Debug : (0.0) tacacs - } ERROR : (0) ERROR: Request has reached max_request_time - signalling it to stop Debug : (0) Done request
On Fri, Apr 25, 2025 at 9:24 AM bryan xiang <bryanxiang82@gmail.com> wrote:
Yes, I am doing the thing you suggested, I need to check how the Packet structure to Networks I can't assign the Packet-Type, even I use "Authentication" and 1, it will
init the packet-type to 0 Any guideline about how to assign value for the Struct type defined in dictionary?
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Password := parent.request.User-Password *Packet.Packet-Type := 1* tacacs }
}
On Fri, Apr 25, 2025 at 8:32 AM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 24, 2025, at 11:32 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
Thank you Alan for the explanation that make sense to provide the attributes to TACACS+ when change
protocol
from Radius to TACACS+ so beside the username/password, I need below attribute right?
Yes... those are the attributes included with the server, in the TACACS dictionary files. I'm aware of them.
I can't assign the Packet-Type, even I use "Authentication" and 1, it will init the packet-type to 0 for the namespace issue, I firstly type namespace as tacacs in the virtual server, but seems it can't receive Radius request from port 1812, so I changed namespace from tacacs to radius, then the FreeRadius begin to listen the port 1812 do you mean in the modules/tacacs, I still need to specify the namespace as tacacs?
What I said was to use the following configuration:
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name User-Name := parent.request.User-Password ... fill in other attributes here, from dictionary/tacacs/*
tacacs
}
You will have to edit this and double-check it, but the basic concepts are there.
Instead of doing that, you're doing something else. Why?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 25, 2025, at 5:18 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
I have some good progress, but still failed in last step, seems TACACS server already send pass to FreeRadius, but FreeRadius report one error and reject the request: ... Debug : (0.0) tacacs - Received Authentication-Pass ID 2 length 18 reply packet on connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 ... Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 failed: No additional error information
I suspect that the other end just closed the connection after one packet. This is actually normal for TACACS+.
... Debug : (0) } # recv Access-Request (ok) Debug : (0) No 'Auth-Type' attribute found, cannot authenticate the user - rejecting the request
So... configure FreeRADIUS to authenticate the user? i.e. uif the TACACS+ module returns "ok", set Auth-Type = Accept. Alan DeKok.
Yes Alan, I ever tried to do this, but seems when subrequest module returned, the caller ( radius) did not see the Auth-type too. Debug : tacacs - [1] - Signalled to reconnect from CONNECTED state Debug : tacacs - [1] - Connection changed state CONNECTED -> FAILED Debug : tacacs - [1] - Connection changed state FAILED -> CLOSED Info : tacacs - [1] Trunk connection changed state ACTIVE -> CLOSED Debug : tacacs - Connection closed - proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 Debug : tacacs - [1] - Delaying reconnection by 1s Debug : (0.0) tacacs - tacacs - Resuming execution Debug : (0.0) tacacs (ok) Debug : (0) subrequest @tacacs::Authentication-Start - Resuming execution Debug : (0) } # subrequest @tacacs::Authentication-Start (ok) Debug : (0) *Auth-Type := Accept* Debug : (0) } # recv Access-Request (ok) *Debug : (0) No 'Auth-Type' attribute found, cannot authenticate the user - rejecting the request* Debug : (0) default (ok) Debug : (0) } # default (ok) Debug : (0) Done request Debug : (0) Sending Access-Reject ID 83 from 0.0.0.0/0:1812 to 169.254.131.1:54808 length 38 via socket radius_udp server 169.254.195.0 port 1812 On Fri, Apr 25, 2025 at 6:09 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 25, 2025, at 5:18 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
I have some good progress, but still failed in last step, seems TACACS server already send pass to FreeRadius, but FreeRadius report one error and reject the request: ... Debug : (0.0) tacacs - Received Authentication-Pass ID 2 length 18 reply packet on connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 ... Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 failed: No additional error information
I suspect that the other end just closed the connection after one packet. This is actually normal for TACACS+.
... Debug : (0) } # recv Access-Request (ok) Debug : (0) No 'Auth-Type' attribute found, cannot authenticate the user - rejecting the request
So... configure FreeRADIUS to authenticate the user? i.e. uif the TACACS+ module returns "ok", set Auth-Type = Accept.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, If I hardcode at the end of the Access-Request, it could pass, but how Can I add condition to check if tacacs return ok or not and then do the Auth-Type? recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name #User-Password := parent.request.User-Password Data := parent.request.User-Password Packet.Version-Major := 0xC # or "Plus" if using VALUE mapping Packet.Version-Minor := 0x1 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := parent.request.Acct-Session-Id Packet.Length := 0 Authentication-Type := "PAP" Action := "Login" Authentication-Service := "Login" tacacs } * control.Auth-Type := "Accept"* } On Fri, Apr 25, 2025 at 10:31 PM bryan xiang <bryanxiang82@gmail.com> wrote:
Yes Alan, I ever tried to do this, but seems when subrequest module returned, the caller ( radius) did not see the Auth-type too.
Debug : tacacs - [1] - Signalled to reconnect from CONNECTED state Debug : tacacs - [1] - Connection changed state CONNECTED -> FAILED Debug : tacacs - [1] - Connection changed state FAILED -> CLOSED Info : tacacs - [1] Trunk connection changed state ACTIVE -> CLOSED Debug : tacacs - Connection closed - proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 Debug : tacacs - [1] - Delaying reconnection by 1s Debug : (0.0) tacacs - tacacs - Resuming execution Debug : (0.0) tacacs (ok) Debug : (0) subrequest @tacacs::Authentication-Start - Resuming execution Debug : (0) } # subrequest @tacacs::Authentication-Start (ok) Debug : (0) *Auth-Type := Accept* Debug : (0) } # recv Access-Request (ok) *Debug : (0) No 'Auth-Type' attribute found, cannot authenticate the user - rejecting the request* Debug : (0) default (ok) Debug : (0) } # default (ok) Debug : (0) Done request Debug : (0) Sending Access-Reject ID 83 from 0.0.0.0/0:1812 to 169.254.131.1:54808 length 38 via socket radius_udp server 169.254.195.0 port 1812
On Fri, Apr 25, 2025 at 6:09 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 25, 2025, at 5:18 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
I have some good progress, but still failed in last step, seems TACACS server already send pass to FreeRadius, but FreeRadius report one error and reject the request: ... Debug : (0.0) tacacs - Received Authentication-Pass ID 2 length 18 reply packet on connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 ... Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 failed: No additional error information
I suspect that the other end just closed the connection after one packet. This is actually normal for TACACS+.
... Debug : (0) } # recv Access-Request (ok) Debug : (0) No 'Auth-Type' attribute found, cannot authenticate the user - rejecting the request
So... configure FreeRADIUS to authenticate the user? i.e. uif the TACACS+ module returns "ok", set Auth-Type = Accept.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 26, 2025, at 11:23 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
If I hardcode at the end of the Access-Request, it could pass, but how Can I add condition to check if tacacs return ok or not and then do the Auth-Type?
The "default" virtual server has examples of setting Auth-Type. Alan DeKok.
Yes, I am checking the examples and find one like below: recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name #User-Password := parent.request.User-Password Data := parent.request.User-Password Packet.Version-Major := 0xC # or "Plus" if using VALUE mapping Packet.Version-Minor := 0x1 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := parent.request.Acct-Session-Id Packet.Length := 0 Authentication-Type := "PAP" Action := "Login" Authentication-Service := "Login" tacacs } * if (ok) { control.Auth-Type := "Accept" }* } but even the auth fail in tacacs module, the tacacs module still return ok, so the module can catch the auth fail and reply module not ok right? Debug : (1.0) tacacs - Packet { Debug : (1.0) tacacs - Version-Major = Plus Debug : (1.0) tacacs - Version-Minor = 1 Debug : (1.0) tacacs - Packet-Type = Authentication Debug : (1.0) tacacs - Sequence-Number = 2 Debug : (1.0) tacacs - Flags = None Debug : (1.0) tacacs - Session-Id = 2035888093 Debug : (1.0) tacacs - Length = 6 Debug : (1.0) tacacs - } Debug : (1.0) tacacs - Packet-Body-Type = Reply Debug : (1.0) tacacs - Authentication-Status = Fail Debug : (1.0) tacacs - Authentication-Flags = 0 Debug : (1.0) tacacs - Server-Message = "" Debug : (1.0) tacacs - Data = 0x Debug : (1.0) tacacs - tacacs - Resuming execution Debug : (1.0) *tacacs (ok)* Debug : (1) subrequest @tacacs::Authentication-Start - Resuming execution Debug : (1) } # subrequest @tacacs:*:Authentication-Start (ok)* Debug : (1) if (ok) { Debug : (1) | ok Debug : (1) | %expr.rcode() Debug : (1) | --> true Debug : (1) control.Auth-Type := Accept Debug : (1) } # if (ok) (noop) Debug : (1) } # recv Access-Request (ok) Debug : (1) default (ok) Debug : (1) } # default (ok) Debug : (1) Done request On Sat, Apr 26, 2025 at 11:25 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 26, 2025, at 11:23 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
If I hardcode at the end of the Access-Request, it could pass, but how Can I add condition to check if tacacs return ok or not and then do the Auth-Type?
The "default" virtual server has examples of setting Auth-Type.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
whatever the auth success or fail, seems the tacacs module always report ok, so back to caller side, seems radius can't decide the auth fail or not Debug : (1.0) tacacs - } Debug : (1.0) tacacs - Authentication-Type = PAP Debug : (1.0) tacacs - Action = LOGIN Debug : (1.0) tacacs - Authentication-Service = LOGIN Debug : (1.0) *tacacs - Received Authentication-Fail *ID 3 length 18 reply packet on connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 Debug : (1.0) tacacs - Packet { Debug : (1.0) tacacs - Version-Major = Plus Debug : (1.0) tacacs - Version-Minor = 1 Debug : (1.0) tacacs - Packet-Type = Authentication Debug : (1.0) tacacs - Sequence-Number = 2 Debug : (1.0) tacacs - Flags = None Debug : (1.0) tacacs - Session-Id = 401966282 Debug : (1.0) tacacs - Length = 6 Debug : (1.0) tacacs - } Debug : (1.0) tacacs - Packet-Body-Type = Reply Debug : (1.0) tacacs - *Authentication-Status = Fail* Debug : (1.0) tacacs - Authentication-Flags = 0 Debug : (1.0) tacacs - Server-Message = "" Debug : (1.0) tacacs - Data = 0x Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 failed: No additional error information Debug : tacacs - [1] - Signalled to reconnect from CONNECTED state Debug : tacacs - [1] - Connection changed state CONNECTED -> FAILED Debug : tacacs - [1] - Connection changed state FAILED -> CLOSED Info : tacacs - [1] Trunk connection changed state ACTIVE -> CLOSED Debug : tacacs - Connection closed - proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 Debug : tacacs - [1] - Delaying reconnection by 1s Debug : (1.0) tacacs - tacacs - Resuming execution Debug : (1.0) *tacacs (ok)* *I also tried to get the tacacs attributes in the caller side, but not help because the connection was closed by remote side* On Sun, Apr 27, 2025 at 9:51 AM bryan xiang <bryanxiang82@gmail.com> wrote:
Yes, I am checking the examples and find one like below:
recv Access-Request { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name #User-Password := parent.request.User-Password Data := parent.request.User-Password Packet.Version-Major := 0xC # or "Plus" if using VALUE mapping Packet.Version-Minor := 0x1 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := parent.request.Acct-Session-Id Packet.Length := 0 Authentication-Type := "PAP" Action := "Login" Authentication-Service := "Login" tacacs }
* if (ok) { control.Auth-Type := "Accept" }* }
but even the auth fail in tacacs module, the tacacs module still return ok, so the module can catch the auth fail and reply module not ok right? Debug : (1.0) tacacs - Packet { Debug : (1.0) tacacs - Version-Major = Plus Debug : (1.0) tacacs - Version-Minor = 1 Debug : (1.0) tacacs - Packet-Type = Authentication Debug : (1.0) tacacs - Sequence-Number = 2 Debug : (1.0) tacacs - Flags = None Debug : (1.0) tacacs - Session-Id = 2035888093 Debug : (1.0) tacacs - Length = 6 Debug : (1.0) tacacs - } Debug : (1.0) tacacs - Packet-Body-Type = Reply Debug : (1.0) tacacs - Authentication-Status = Fail Debug : (1.0) tacacs - Authentication-Flags = 0 Debug : (1.0) tacacs - Server-Message = "" Debug : (1.0) tacacs - Data = 0x Debug : (1.0) tacacs - tacacs - Resuming execution Debug : (1.0) *tacacs (ok)* Debug : (1) subrequest @tacacs::Authentication-Start - Resuming execution Debug : (1) } # subrequest @tacacs:*:Authentication-Start (ok)* Debug : (1) if (ok) { Debug : (1) | ok Debug : (1) | %expr.rcode() Debug : (1) | --> true Debug : (1) control.Auth-Type := Accept Debug : (1) } # if (ok) (noop) Debug : (1) } # recv Access-Request (ok) Debug : (1) default (ok) Debug : (1) } # default (ok) Debug : (1) Done request
On Sat, Apr 26, 2025 at 11:25 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 26, 2025, at 11:23 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
If I hardcode at the end of the Access-Request, it could pass, but how Can I add condition to check if tacacs return ok or not and then do the Auth-Type?
The "default" virtual server has examples of setting Auth-Type.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 27, 2025, at 11:21 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
whatever the auth success or fail, seems the tacacs module always report ok, so back to caller side, seems radius can't decide the auth fail or not
Hmm,, yes. I'll take a look, but I can't promise anything quick.
*I also tried to get the tacacs attributes in the caller side, but not help because the connection was closed by remote side*
Huh? The attributes are available in the "reply" list, even if the connection was closed. But you have to look at the attributes in the "subrequest" block. And then from the debug output, even if you did that, the TACACS+ server isn't sending any attributes. Alan DeKok.
Thank you Alan I tried your suggestion and add check in the subrequest scope, I can see the reply attribute but seems can't set the Auth-Type successfully. the config file as below: recv Access-Request { # if (User-Name =~ /^testuser$/) { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name #User-Password := parent.request.User-Password Data := parent.request.User-Password Packet.Version-Major := 0xC # or "Plus" if using VALUE mapping Packet.Version-Minor := 0x1 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := parent.request.Acct-Session-Id Packet.Length := 0 Authentication-Type := "PAP" Action := "Login" Authentication-Service := "Login" tacacs * if (&reply.Authentication-Status == "Pass") { &control.Auth-Type := "Accept" }* } } Debug : tacacs - [1] - Delaying reconnection by 1s Debug : (0.0) tacacs - tacacs - Resuming execution Debug : (0.0) tacacs (ok) *Debug : (0.0) if (&reply.Authentication-Status == "Pass") {Debug : (0.0) | ==Debug : (0.0) | &reply.Authentication-StatusDebug : (0.0) | &reply.Authentication-StatusDebug : (0.0) | --> PassDebug : (0.0) | %cmp_eq({Pass}{Pass})Debug : (0.0) | --> trueDebug : (0.0) control.Auth-Type := Accept* Debug : (0.0) } # if (&reply.Authentication-Status == "Pass") (noop) Debug : (0) subrequest @tacacs::Authentication-Start - Resuming execution Debug : (0) } # subrequest @tacacs::Authentication-Start (ok) Debug : (0) } # recv Access-Request (ok) *Debug : (0) No 'Auth-Type' attribute found, cannot authenticate the user - rejecting the request* Debug : (0) default (ok) Debug : (0) } # default (ok) On Mon, Apr 28, 2025 at 7:59 AM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 27, 2025, at 11:21 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
whatever the auth success or fail, seems the tacacs module always report ok, so back to caller side, seems radius can't decide the auth fail or
not
Hmm,, yes. I'll take a look, but I can't promise anything quick.
*I also tried to get the tacacs attributes in the caller side, but not help because the connection was closed by remote side*
Huh? The attributes are available in the "reply" list, even if the connection was closed.
But you have to look at the attributes in the "subrequest" block. And then from the debug output, even if you did that, the TACACS+ server isn't sending any attributes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 27, 2025, at 8:29 PM, bryan xiang <bryanxiang82@gmail.com> wrote:
I tried your suggestion and add check in the subrequest scope, I can see the reply attribute but seems can't set the Auth-Type successfully. the config file as below:
At some point you will need to read the documentation, and understand how the server works. I cannot answer every minor question about everything. Go read the documentation at https://www.freeradius.org/documentation/freeradius-server/4.0.0/reference/u... If you set "control.Auth-Type" inside of the "subrequest" block, that does NOT set it in the *parent* block. Alan DeKok.
OK, I see When the child request has finished execution, it is freed but if I can't set it in subrequest, I can't get the attribute: Authentication-Status result from reply so, here the only way I can count on is the tacacs module return code(always return ok regardless auth success/fail) authenticate TACACS { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name Data := parent.request.User-Password Packet.Version-Major := 0xC # or "Plus" if using VALUE mapping Packet.Version-Minor := 0x1 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := parent.request.Acct-Session-Id Packet.Length := 0 Authentication-Type := "PAP" Action := "Login" Authentication-Service := "Login" tacacs } } recv Access-Request { if (User-Name =~ /^testuser1$/) { control.Auth-Type := ::TACACS } since you are working on the return code of tacacs module, seems this is the only way to decide the auth success or not because Reply attribute in subrequest can't be reused after the subrequest finish execution, the parent can't rely on the Auth-type setting in subrequest. Regards, Bryan On Mon, Apr 28, 2025 at 6:17 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 27, 2025, at 8:29 PM, bryan xiang <bryanxiang82@gmail.com> wrote:
I tried your suggestion and add check in the subrequest scope, I can see the reply attribute but seems can't set the Auth-Type successfully. the config file as below:
At some point you will need to read the documentation, and understand how the server works. I cannot answer every minor question about everything.
Go read the documentation at https://www.freeradius.org/documentation/freeradius-server/4.0.0/reference/u...
If you set "control.Auth-Type" inside of the "subrequest" block, that does NOT set it in the *parent* block.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 28, 2025, at 9:39 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
OK, I see When the child request has finished execution, it is freed but if I can't set it in subrequest, I can't get the attribute: Authentication-Status result from reply so, here the only way I can count on is the tacacs module return code(always return ok regardless auth success/fail)
You can set "parent.control.Auth-Type" inside of the subrequest. My concern here is that the approach I see you taking is largely to make random changes. This is pretty much guaranteed to not make progress. Instead, of you understand how things work, it's much easier to see what needs to be done. i.e. If there is a relationship between a parent and child request, then you can reference the parent from the child. But after the child has returned, you cannot reference the child from the parent.
since you are working on the return code of tacacs module, seems this is the only way to decide the auth success or not because Reply attribute in subrequest can't be reused after the subrequest finish execution, the parent can't rely on the Auth-type setting in subrequest.
The child can do: parent.control.Auth_Type := Accept At this point, I think I can't answer any more questions. I've pointed you to the documentation, and how to get things done. Unless you report a bug, I'll have to ask you to go through the documentation and follow what it says. I can't continue to summarize the documentation in emails to this list. Everything I'm saying is in the documentation. Alan DeKok.
Thank you Alan for your detailed explanation Yes, last time's config has some change, so I changed back to the previous version configuration and set parent.control.Auth-Type in subrequest, then it finally working, thanks so much! Right, one thing for my last config, is it one bug or enhance if set Auth-Type like below manner? recv Access-Request { if (User-Name =~ /^testuser1$/) { control.Auth-Type := ::TACACS } authenticate TACACS { subrequest @tacacs::Authentication-Start { User-Name := parent.request.User-Name #User-Password := parent.request.User-Password Data := parent.request.User-Password Packet.Version-Major := 0xC # or "Plus" if using VALUE mapping Packet.Version-Minor := 0x1 Packet.Packet-Type := "Authentication" Packet.Sequence-Number := 1 Packet.Flags := "None" Packet.Session-Id := parent.request.Acct-Session-Id Packet.Length := 0 Authentication-Type := "PAP" Action := "Login" Authentication-Service := "Login" tacacs if (&reply.Authentication-Status == "Pass") { parent.control.Auth-Type := "Accept" } } } with this config, even I set parent.control.Auth-Type in subrequest, login with right/wrong password, all get Authenticated success because the subrequest return ok seems so regards, Bryan On Mon, Apr 28, 2025 at 10:16 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 28, 2025, at 9:39 AM, bryan xiang <bryanxiang82@gmail.com> wrote:
OK, I see When the child request has finished execution, it is freed but if I can't set it in subrequest, I can't get the attribute: Authentication-Status result from reply so, here the only way I can count on is the tacacs module return code(always return ok regardless auth success/fail)
You can set "parent.control.Auth-Type" inside of the subrequest.
My concern here is that the approach I see you taking is largely to make random changes. This is pretty much guaranteed to not make progress.
Instead, of you understand how things work, it's much easier to see what needs to be done. i.e. If there is a relationship between a parent and child request, then you can reference the parent from the child. But after the child has returned, you cannot reference the child from the parent.
since you are working on the return code of tacacs module, seems this is the only way to decide the auth success or not because Reply attribute in subrequest can't be reused after the subrequest finish execution, the parent can't rely on the Auth-type setting in subrequest.
The child can do:
parent.control.Auth_Type := Accept
At this point, I think I can't answer any more questions. I've pointed you to the documentation, and how to get things done. Unless you report a bug, I'll have to ask you to go through the documentation and follow what it says.
I can't continue to summarize the documentation in emails to this list. Everything I'm saying is in the documentation.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
bryan xiang -
Timothy M Butterworth