Version 4 issue - Opening tacacs I/O interface failed

jeff cearniey jeffcearniey at gmail.com
Wed Mar 6 18:04:44 UTC 2024


I've seen this error mentioned a few times with some google search and the
advice was to ensure libkqueue is the most recent version from git which is
2.6.1 and i've done that:

dpkg -l libkqueue
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-===================================================================
ii  libkqueue      2.6.1        amd64        Userspace implementation of
the kqueue event notification mechanism

I'm on ubuntu 20.04 and everything is up to date.

I installed version 4 from the tar file here
https://freeradius.org/ftp/pub/freeradius/

here is the full error (i'm using v4 because i want tacacs)

radiusd -X
Info  : Copyright 1999-2023 The FreeRADIUS server project and contributors
Info  : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info  : PARTICULAR PURPOSE
Info  : You may redistribute copies of FreeRADIUS under the terms of the
Info  : GNU General Public License
Info  : For more information about these matters, see the file named
COPYRIGHT
Info  : Starting - reading configuration files ...
Debug : Including dictionary file "/usr/local/etc/raddb/dictionary"
gctx 0x5612a932aa40 report
    internal refs src/lib/server/main_config.c (1)
    internal refs src/lib/server/request.c (1)
    internal refs src/lib/tls/base.c (1)
including configuration file /usr/local/etc/raddb/radiusd.conf
Including files in directory "/usr/local/etc/raddb/template.d/"
including configuration file /usr/local/etc/raddb/template.d/default
including configuration file /usr/local/etc/raddb/clients.conf
Including files in directory "/usr/local/etc/raddb/global.d/"
including configuration file /usr/local/etc/raddb/global.d/ldap
including configuration file /usr/local/etc/raddb/global.d/python
Including files in directory "/usr/local/etc/raddb/mods-enabled/"
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/client
including configuration file /usr/local/etc/raddb/mods-enabled/delay
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/escape
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/stats
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
Including files in directory "/usr/local/etc/raddb/policy.d/"
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalisation
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/time
including configuration file /usr/local/etc/raddb/policy.d/vendor
Including files in directory "/usr/local/etc/raddb/sites-enabled/"
including configuration file /usr/local/etc/raddb/sites-enabled/tacacs
Loaded module process_tacacs
Parsing initial logging configuration.
main {
  prefix = /usr/local
  log {
    destination = files
    syslog_facility = daemon
    local_state_dir = "/usr/local/var"
    logdir = "/usr/local/var/log"
    file = /usr/local/var/log/radius/radius.log
    suppress_secrets = no
  }
}
Parsing security rules to bootstrap UID / GID / chroot / etc.
main {
  log {
  }
  security {
    allow_core_dumps = no
    allow_vulnerable_openssl = no
    openssl_fips_mode = no
  }
  name = radiusd
  local_state_dir = "/usr/local/var"
  run_dir = /usr/local/var/run/radiusd
}
Parsing main configuration
main {
  server tacacs {
    namespace = tacacs
    tacacs {
      Authentication {
        log {
          stripped_names = no
          auth = no
          auth_badpass = no
          auth_goodpass = no
          msg_denied = "You are already logged in - access denied"
        }
        session {
          timeout = 15
          max = 4096
          max_rounds = 4
        }
      }
    }
Loaded module proto_tacacs
    listen {
      type = Authentication-Start
      type = Authentication-Continue
      type = Authorization-Request
      type = Accounting-Request
      transport = tcp
Loaded module proto_tacacs_tcp
      tcp {
        ipaddr = 10.10.10.10
        port = 49
        networks {
        }
        max_packet_size = 4096
        max_attributes = 256
      }
      limit {
        idle_timeout = 60.0
        max_connections = 256
      }
      priority {
        Authentication-Start = high
        Authentication-Continue = high
        Authorization-Request = normal
        Accounting-Request = low
      }
    }
  }
  log {
    colourise = yes
  }
  security {
  }
  sbin_dir = "/usr/local/sbin"
  logdir = /usr/local/var/log/radius
  radacctdir = /usr/local/var/log/radius/radacct
  reverse_lookups = no
  hostname_lookups = yes
  max_request_time = 30
  pidfile = /usr/local/var/run/radiusd/radiusd.pid
  debug_level = 0
  max_requests = 16384
  resources {
  }
  thread pool {
    num_networks = 1
Dynamically determined thread.workers = 31
    num_workers = 31
    openssl_async_pool_init = 64
    openssl_async_pool_max = 1024
  }
  migrate {
    rewrite_update = false
    forbid_update = false
  }
  interpret {
  }
}
Switching to configured log settings
radiusd: #### Loading Clients ####
  client localhost {
    ipaddr = 127.0.0.1
    secret = <<< secret >>>
    require_message_authenticator = no
    proto = *
    limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
    }
  }
  client localhost_ipv6 {
    ipv6addr = ::1
    secret = <<< secret >>>
    limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30s
    }
  }
Debugger not attached
trigger { ... } subsection not found, triggers will be disabled
#### Instantiating libraries ####
#### Bootstrapping process modules ####
Bootstrapping process_tacacs "tacacs"
Creating Auth-Type = PAP
Creating Auth-Type = CHAP
Creating Auth-Type = ASCII
#### Bootstrapping protocol modules ####
Bootstrapping proto_tacacs "tacacs.tacacs"
Ignoring "nak_lifetime = 0", forcing to "nak_lifetime = 1"
    client tacacs {
      ipaddr = 10.81.1.195
      secret = <<< secret >>>
      proto = tcp
      limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30s
      }
    }
#### Instantiating libraries ####
#### Bootstrapping modules ####
 modules {
Loaded module rlm_always
    always reject {
      rcode = reject
      simulcount = 0
      mpp = no
    }
    always fail {
      rcode = fail
      simulcount = 0
      mpp = no
    }
    always ok {
      rcode = ok
      simulcount = 0
      mpp = no
    }
    always handled {
      rcode = handled
      simulcount = 0
      mpp = no
    }
    always invalid {
      rcode = invalid
      simulcount = 0
      mpp = no
    }
    always disallow {
      rcode = disallow
      simulcount = 0
      mpp = no
    }
    always notfound {
      rcode = notfound
      simulcount = 0
      mpp = no
    }
    always noop {
      rcode = noop
      simulcount = 0
      mpp = no
    }
    always updated {
      rcode = updated
      simulcount = 0
      mpp = no
    }
Loaded module rlm_attr_filter
    attr_filter attr_filter.pre-proxy {
      filename = /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
      key = "%{Realm}"
      relaxed = no
    }
    attr_filter attr_filter.post-proxy {
      filename = /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
      key = "%{Realm}"
      relaxed = no
    }
    attr_filter attr_filter.access_reject {
      filename = /usr/local/etc/raddb/mods-config/attr_filter/access_reject
      key = "%{User-Name}"
      relaxed = no
    }
    attr_filter attr_filter.access_challenge {
      filename =
/usr/local/etc/raddb/mods-config/attr_filter/access_challenge
      key = "%{User-Name}"
      relaxed = no
    }
    attr_filter attr_filter.accounting_response {
      filename =
/usr/local/etc/raddb/mods-config/attr_filter/accounting_response
      key = "%{User-Name}"
      relaxed = no
    }
Loaded module rlm_cache
    cache cache_eap {
      driver = rbtree
Loaded module rlm_cache_rbtree
      key = %{&control.State || &reply.State || &State}
      ttl = 15
      max_entries = 0
      epoch = 0
      add_stats = no
    }
Loaded module rlm_chap
    chap {
      min_challenge_len = 16
    }
Loaded module rlm_client
Loaded module rlm_delay
    delay {
      delay = 1.0s
      relative = no
      force_reschedule = no
    }
    delay delay_reject {
      delay = "%{&reply.FreeRADIUS-Response-Delay || 1}"
      relative = yes
      force_reschedule = no
    }
Loaded module rlm_detail
    detail {
      filename =
/usr/local/var/log/radius/radacct/%{Net.Src.IP}/detail-%Y-%m-%d
      header = %t
      permissions = 0600
      locking = no
      escape_filenames = no
      log_packet_header = no
    }
    detail auth_log {
      filename =
/usr/local/var/log/radius/radacct/%{Net.Src.IP}/auth-detail-%Y-%m-%d
      header = %t
      permissions = 0600
      locking = no
      escape_filenames = no
      log_packet_header = no
    }
    detail reply_log {
      filename =
/usr/local/var/log/radius/radacct/%{Net.Src.IP}/reply-detail-%Y-%m-%d
      header = %t
      permissions = 0600
      locking = no
      escape_filenames = no
      log_packet_header = no
    }
    detail pre_proxy_log {
      filename =
/usr/local/var/log/radius/radacct/%{Net.Src.IP}/pre-proxy-detail-%Y-%m-%d
      header = %t
      permissions = 0600
      locking = no
      escape_filenames = no
      log_packet_header = no
    }
    detail post_proxy_log {
      filename =
/usr/local/var/log/radius/radacct/%{Net.Src.IP}/post-proxy-detail-%Y-%m-%d
      header = %t
      permissions = 0600
      locking = no
      escape_filenames = no
      log_packet_header = no
    }
Loaded module rlm_digest
Loaded module rlm_exec
    exec echo {
      wait = yes
      input_pairs = &request
      output_pairs = &reply
      shell_escape = yes
      env_inherit = no
    }
Loaded module rlm_escape
    escape {
      safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
    }
    exec {
      wait = yes
      input_pairs = &request
      shell_escape = yes
      env_inherit = no
      timeout = 10
    }
Loaded module rlm_files
    files {
      filename = /usr/local/etc/raddb/mods-config/files/authorize
      acctusersfile = /usr/local/etc/raddb/mods-config/files/accounting
      key = %{%{Stripped-User-Name}:-%{User-Name}}
    }
Loaded module rlm_linelog
    linelog {
      destination = file
      delimiter = "\n"
      format = "This is a log message for %{User-Name}"
      reference = "messages.%{&reply.Packet-Type || 'default'}"
      file {
        filename = /usr/local/var/log/radius/linelog
        permissions = 0600
        escape_filenames = no
      }
      syslog {
        severity = "info"
      }
      unix {
      }
      tcp {
        server = localhost
        port = 514
        timeout = 2.0
      }
      udp {
        server = localhost
        port = 514
        timeout = 2.0
      }
    }
    linelog log_accounting {
      destination = file
      delimiter = "\n"
      format = ""
      reference = "Accounting-Request.%{&Acct-Status-Type || 'unknown'}"
      file {
        filename = /usr/local/var/log/radius/linelog-accounting
        permissions = 0600
        escape_filenames = no
      }
      syslog {
        severity = "info"
      }
      unix {
      }
      tcp {
        timeout = 1000
      }
      udp {
        timeout = 1000
      }
    }
Loaded module rlm_mschap
    mschap {
      normalise = yes
      use_mppe = yes
      require_encryption = no
      require_strong = no
      with_ntdomain_hack = yes
      passchange {
      }
      allow_retry = yes
      winbind {
      }
    }
    exec ntlm_auth {
      wait = yes
      shell_escape = yes
      env_inherit = no
    }
Loaded module rlm_pap
    pap {
      normalise = yes
    }
Loaded module rlm_passwd
    passwd etc_passwd {
      filename = /etc/passwd
      format = "*User-Name:Crypt-Password:"
      delimiter = ":"
      ignore_nislike = no
      ignore_empty = yes
      allow_multiple_keys = no
      hash_size = 100
    }
Loaded module rlm_radutmp
    radutmp {
      filename = /usr/local/var/log/radius/radutmp
      username = %{User-Name}
      check_with_nas = yes
      permissions = 0600
      caller_id = no
    }
    radutmp sradutmp {
      filename = /usr/local/var/log/radius/sradutmp
      username = "%{User-Name}"
      check_with_nas = yes
      permissions = 0644
      caller_id = no
    }
Loaded module rlm_stats
    stats {
    }
Loaded module rlm_unix
    unix {
    }
Loaded module rlm_unpack
Loaded module rlm_utf8
#### Bootstrapping rlm modules ####
Bootstrapping rlm_cache "cache_eap"
Bootstrapping rlm_chap "chap"
Bootstrapping rlm_delay "delay"
Bootstrapping rlm_delay "delay_reject"
Bootstrapping rlm_always "disallow"
Bootstrapping rlm_exec "echo"
Bootstrapping rlm_escape "escape"
Bootstrapping rlm_exec "exec"
Bootstrapping rlm_always "fail"
Bootstrapping rlm_always "handled"
Bootstrapping rlm_always "invalid"
Bootstrapping rlm_linelog "linelog"
Bootstrapping rlm_linelog "log_accounting"
Bootstrapping rlm_mschap "mschap"
Bootstrapping rlm_always "noop"
Bootstrapping rlm_always "notfound"
Bootstrapping rlm_exec "ntlm_auth"
Bootstrapping rlm_always "ok"
Bootstrapping rlm_always "reject"
Bootstrapping rlm_unix "unix"
Bootstrapping rlm_always "updated"
 } # modules
#### Instantiating listeners ####
Compiling policies in server tacacs { ... }
Instantiating proto_tacacs "tacacs.tacacs"
Instantiating process_tacacs "tacacs"
Compiling policies in - recv Authentication-Start {...}
/usr/local/etc/raddb/sites-enabled/tacacs[287]: Ignoring "-sql" as the
"sql" module is not enabled.
Compiling policies in - send Authentication-Pass {...}
Compiling policies in - send Authentication-Fail {...}
Compiling policies in - send Authentication-GetUser {...}
Compiling policies in - send Authentication-GetPass {...}
Compiling policies in - recv Authentication-Continue {...}
Compiling policies in - authenticate PAP {...}
Compiling policies in - authenticate CHAP {...}
Compiling policies in - authenticate ASCII {...}
Compiling policies in - recv Authorization-Request {...}
Compiling policies in - send Authorization-Pass-Add {...}
Compiling policies in - recv Accounting-Request {...}
Compiling policies in - send Accounting-Success {...}
Compiling policies in - send Accounting-Error {...}
Compiling policies in - accounting Start {...}
Compiling policies in - accounting Watchdog-Update {...}
Compiling policies in - accounting Watchdog {...}
Compiling policies in - accounting Stop {...}
/usr/local/etc/raddb/sites-enabled/tacacs[24]: tacacs  { ... } section is
unused
#### Instantiating rlm modules ####
Instantiating rlm_attr_filter "attr_filter.access_challenge"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
Instantiating rlm_attr_filter "attr_filter.access_reject"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
Instantiating rlm_attr_filter "attr_filter.accounting_response"
Reading file
/usr/local/etc/raddb/mods-config/attr_filter/accounting_response
Instantiating rlm_attr_filter "attr_filter.post-proxy"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
Instantiating rlm_attr_filter "attr_filter.pre-proxy"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
Instantiating rlm_detail "auth_log"
auth_log - 'User-Password' suppressed, will not appear in detail output
Instantiating rlm_cache "cache_eap"
Instantiating rlm_chap "chap"
Instantiating rlm_detail "detail"
Instantiating rlm_digest "digest"
Failed to find 'authenticate digest {...}' section.  Digest authentication
will likely not work
Instantiating rlm_always "disallow"
Instantiating rlm_passwd "etc_passwd"
Instantiating rlm_always "fail"
Instantiating rlm_files "files"
Reading file /usr/local/etc/raddb/mods-config/files/authorize
Reading file /usr/local/etc/raddb/mods-config/files/accounting
Instantiating rlm_always "handled"
Instantiating rlm_always "invalid"
Instantiating rlm_linelog "linelog"
Instantiating rlm_linelog "log_accounting"
Instantiating rlm_mschap "mschap"
mschap - Failed to find 'authenticate mschap {...}' section.  MS-CHAP
authentication will likely not work
mschap - Using internal authentication
Instantiating rlm_always "noop"
Instantiating rlm_always "notfound"
Instantiating rlm_always "ok"
Instantiating rlm_pap "pap"
Instantiating rlm_detail "post_proxy_log"
Instantiating rlm_detail "pre_proxy_log"
Instantiating rlm_always "reject"
Instantiating rlm_detail "reply_log"
Instantiating rlm_stats "stats"
Instantiating rlm_always "updated"
Instantiating _cache_rbtree "cache_eap.rbtree"
Scheduler created in single-threaded mode
#### Opening listener interfaces ####
Network - Failed adding new socket to network event loop: Failed inserting
filters for FD 15: EFAULT: Bad address
/usr/local/etc/raddb/sites-enabled/tacacs[144]: Opening tacacs I/O
interface failed


More information about the Freeradius-Users mailing list