Start FreeRadius 4.0 with rlm_tacacs failed due to segV error
bryan xiang
bryanxiang82 at gmail.com
Thu Apr 24 09:12:19 UTC 2025
I changed some virtual server side config and tried to logon with
testuser1/testpass123, the error from tacacs is an encoding error.
the config change for virtual server:
#
# Does nothing other than send packets. It doesn't listen to any input
sockets.
#
server default {
namespace = radius
listen {
type = Access-Request
type = Status-Server
transport = udp
udp {
ipaddr = 169.254.195.0
port = 1812
}
}
recv Access-Request {
tacacs
}
}
# /opt/LU3P/sbin/radiusd -X -d /etc/opt/LU3Pfreeradius-server
Info : Copyright 1999-2024 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named
COPYRIGHT
Info : Starting - reading configuration files ...
including configuration file /etc/opt/LU3Pfreeradius-server/radiusd.conf
including configuration file /etc/opt/LU3Pfreeradius-server/clients.conf
Including files in directory "/etc/opt/LU3Pfreeradius-server/modules/"
including configuration file /etc/opt/LU3Pfreeradius-server/modules/tacacs
including configuration file
/etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config
Loaded module process_radius
Parsing initial logging configuration.
main {
prefix = /opt/LU3P
log {
destination = files
syslog_facility = daemon
local_state_dir = "/opt/LU3P/var"
logdir = "/opt/LU3P/var/log"
file = /var/opt/log/freeradius-server/radius.log
suppress_secrets = no
}
}
Parsing security rules to bootstrap UID / GID / chroot / etc.
main {
log {
}
security {
allow_core_dumps = no
allow_vulnerable_openssl = "no"
}
name = radiusd
local_state_dir = "/opt/LU3P/var"
run_dir = /var/opt/run
}
Parsing main configuration
main {
server default {
namespace = radius
radius {
Access-Request {
session {
timeout = 15
max = 4096
}
}
}
Loaded module proto_radius
listen {
type = Access-Request
type = Status-Server
transport = udp
Loaded module proto_radius_udp
udp {
ipaddr = 169.254.195.0
port = 1812
networks {
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 30.0
nak_lifetime = 30.0
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
log {
ignored_clients = yes
}
require_message_authenticator = no
limit_proxy_state = auto
}
}
log {
}
security {
}
sbin_dir = "/opt/LU3P/sbin"
logdir = /var/opt/log/freeradius-server
radacctdir = /var/opt/log/freeradius-server/radacct
reverse_lookups = no
hostname_lookups = no
max_request_time = 30
pidfile = /var/opt/run/radiusd.pid
debug_level = 0
max_requests = 1024
resources {
}
thread pool {
num_networks = 1
Dynamically determined thread.workers = 2
num_workers = 2
}
migrate {
}
}
Info : Switching to configured log settings
Debug : radiusd: #### Loading Clients ####
Debug : client 127.0.0.1 {
Debug : ipaddr = 127.0.0.1
Debug : secret = <<< secret >>>
Debug : shortname = sig03-oam-b
Debug : require_message_authenticator = no
Debug : limit_proxy_state = auto
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30s
Debug : }
Debug : }
Debug : client 169.254.64.0/20 {
Debug : ipaddr = 169.254.64.0/20
Debug : secret = <<< secret >>>
Debug : shortname = sig03-oam-b
Debug : require_message_authenticator = no
Debug : limit_proxy_state = auto
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30s
Debug : }
Debug : }
Debug : client 169.254.128.0/17 {
Debug : ipaddr = 169.254.128.0/17
Debug : secret = <<< secret >>>
Debug : shortname = sig03-oam-b
Debug : require_message_authenticator = no
Debug : limit_proxy_state = auto
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30s
Debug : }
Debug : }
Info : Debugger not attached
Info : Configuration version: 2B68C42F-4537-400E-A66C-0DB8A9263333
Info : systemd watchdog is disabled
Info : pre-suid-down capabilities: =ep
Warn : trigger { ... } subsection not found, triggers will be disabled
Debug : #### Instantiating libraries ####
Debug : #### Bootstrapping process modules ####
Debug : Bootstrapping process_radius "default"
Debug : #### Bootstrapping protocol modules ####
Debug : #### Instantiating libraries ####
Debug : #### Bootstrapping static modules ####
Debug : modules {
Debug : static {
Debug : Loaded module rlm_tacacs
Debug : tacacs {
Debug : transport = tcp
Debug : Loaded module rlm_tacacs_tcp
Debug : tcp {
Debug : ipaddr = 10.76.89.50
Debug : port = 49
Debug : secret = testkey123
Debug : max_packet_size = 4096
Debug : max_send_coalesce = 1024
Debug : }
Debug : type = Authentication-Start
Debug : type = Authentication-Continue
Debug : type = Authorization-Request
Debug : type = Accounting-Request
Debug : max_attributes = 255
Debug : response_window = 20
Debug : zombie_period = 40
Debug : pool {
Debug : start = 1
Debug : min = 1
Debug : max = 1
Debug : connecting = 2
Debug : uses = 0
Debug : lifetime = 0
Debug : idle_timeout = 0
Debug : open_delay = 0.2
Debug : close_delay = 10.0
Debug : manage_interval = 0.2
Debug : max_backlog = 1000
Debug : connection {
Debug : connect_timeout = 3.0
Debug : reconnect_delay = 1
Debug : }
Debug : request {
Debug : per_connection_max = 2000
Debug : per_connection_target = 1000
Debug : free_delay = 10.0
Debug : }
Debug : }
Debug : retry {
Debug : initial_rtx_time = 2
Debug : max_rtx_time = 16
Debug : max_rtx_count = 5
Debug : max_rtx_duration = 30
Debug : }
Debug : }
Debug : } # static
Debug : #### Bootstrapping rlm modules ####
Debug : Including dictionary file
"/etc/opt/LU3Pfreeradius-server/dictionary"
Debug : #### Instantiating listeners ####
Debug : Compiling policies in server default { ... }
Debug : Compiling policies in - recv Access-Request {...}
Warn : radius { ... } section is unused
Debug : #### Instantiating process modules ####
Debug : Instantiating process_radius "default"
Debug : #### Instantiating protocol modules ####
Debug : Instantiating proto_radius "default.radius.udp"
Debug : Instantiating proto_radius_udp "default.radius.udp.udp"
Debug : #### Instantiating rlm modules ####
Debug : Instantiating rlm_tacacs "tacacs"
Warn : Ignoring "trunk.per_connection_max = 2000", forcing to
"trunk.per_connection_max = 255"
Warn : Ignoring "trunk.per_connection_target = 1000", forcing to
"trunk.per_connection_target = 127"
Warn : Ignoring "revive_interval = 0", forcing to "revive_interval = 10"
Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp"
Debug : tacacs - [0] Starting initial connection
Debug : tacacs - [1] - Signalled to start from HALTED state
Debug : tacacs - [1] - Connection changed state HALTED -> INIT
Debug : tacacs - [1] Trunk connection changed state HALTED -> INIT
Debug : tacacs - [1] - Connection changed state INIT -> CONNECTING
Info : tacacs - [1] Trunk connection changed state INIT -> CONNECTING
Debug : Scheduler created in single-threaded mode
Debug : #### Opening listener interfaces ####
Debug : Listening on radius_udp server 169.254.195.0 port 1812 bound to
virtual server default
Info : post-suid-down capabilities: =ep
Info : Ready to process requests
Debug : tacacs - [1] - Connection changed state CONNECTING -> CONNECTED
Debug : tacacs - [1] - Connection established
Debug : tacacs - [1] Trunk connection changed state CONNECTING -> ACTIVE
Debug : proto_radius_udp - Received Access-Request ID 71 length 98
radius_udp server 169.254.195.0 port 1812
ERROR : (0) ERROR: Packet from 169.254.128.0/17 (sig03-oam-b) did not
contain Message-Authenticator:
ERROR : (0) ERROR: - Upgrade the client, as your network is vulnerable to
the BlastRADIUS attack.
ERROR : (0) ERROR: - Then set 'require_message_authenticator = yes' in the
client definition
Info : (0) First packet from 169.254.128.0/17 (sig03-oam-b) did not
contain Proxy-State. Setting "limit_proxy_state = yes"
Debug : Worker - Resetting cleanup timer to +30
Debug : (0) default {
Debug : (0) Received Access-Request ID 71 from 169.254.131.1:40407 to
169.254.195.0:1812 via int0
Debug : (0) Module-Failure-Message = "- Then set
'require_message_authenticator = yes' in the client definition"
Debug : (0) Module-Failure-Message = "- Upgrade the client, as your
network is vulnerable to the BlastRADIUS attack."
Debug : (0) Module-Failure-Message = "Packet from 169.254.128.0/17
(sig03-oam-b) did not contain Message-Authenticator:"
Debug : (0) * User-Name = "testuser1"*
Debug : (0) NAS-Identifier = "LCP_CLI"
Debug : (0) Service-Type = Authenticate-Only
Debug : (0) Calling-Station-Id = "10.242.131.105"
Debug : (0) NAS-IP-Address = 169.254.65.1
Debug : (0) NAS-Port = 1345666
Debug : (0) NAS-Port-Type = Virtual
Debug : (0) User-Password =* "testpass123"*
Debug : (0) Net {
Debug : (0) Src {
Debug : (0) IP = 169.254.131.1
Debug : (0) Port = 40407
Debug : (0) }
Debug : (0) Dst {
Debug : (0) IP = 169.254.195.0
Debug : (0) Port = 1812
Debug : (0) }
Debug : (0) Timestamp = "2025-04-24T09:08:10Z"
Debug : (0) }
Debug : (0) Packet-Type = Access-Request
Debug : (0) Running 'recv Access-Request' from file
/etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config
Debug : (0) recv Access-Request {
Debug : (0) tacacs - tacacs - [1] Trunk connection assigned request 1
Debug : (0) tacacs - Sending Authentication-Start ID 1 length 0 over
connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49
ERROR : (0) tacacs - ERROR: Failed encoding packet: fr_tacacs_encode*:
Failed encoding Packet using fr_struct_to_network()*
Debug : (0) tacacs - tacacs - Resuming execution
Debug : (0) tacacs (fail)
Debug : (0) } # recv Access-Request (fail)
Debug : (0) The 'recv Access-Request' section returned fail - rejecting
the request
Debug : (0) default (ok)
Debug : (0) } # default (ok)
Debug : (0) Done request
Debug : (0) Sending Access-Reject ID 71 from 0.0.0.0/0:1812 to
169.254.131.1:40407 length 38 via socket radius_udp server 169.254.195.0
port 1812
Debug : (0) Packet-Type = Access-Reject
Debug : (0) Finished request
Debug : proto_radius_udp - cleaning up request in 5.000000s
Debug : TIMER - proto_radius_udp - cleanup delay
On Thu, Apr 24, 2025 at 2:34 PM bryan xiang <bryanxiang82 at gmail.com> wrote:
> I just see your patch fix, I use your patch load and rebuild again
> This time no crash, and I can see log like:
> Debug : Instantiating rlm_tacacs "tacacs"
> Warn : Ignoring "trunk.per_connection_max = 2000", forcing to
> "trunk.per_connection_max = 255"
> Warn : Ignoring "trunk.per_connection_target = 1000", forcing to
> "trunk.per_connection_target = 127"
> Warn : Ignoring "revive_interval = 0", forcing to "revive_interval = 10"
> Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp"
> Debug : tacacs - [0] Starting initial connection
> Debug : tacacs - [1] - Signalled to start from HALTED state
> Debug : tacacs - [1] - Connection changed state HALTED -> INIT
> Debug : tacacs - [1] Trunk connection changed state HALTED -> INIT
> Debug : tacacs - [1] - Connection changed state INIT -> CONNECTING
> Info : tacacs - [1] Trunk connection changed state INIT -> CONNECTING
> Debug : Scheduler created in single-threaded mode
> Debug : #### Opening listener interfaces ####
> Info : post-suid-down capabilities: =ep
> Info : Ready to process requests
> Debug : tacacs - [1] - Connection changed state CONNECTING -> CONNECTED
> Debug : tacacs - [1] - Connection established
> Debug : tacacs - [1] Trunk connection changed state CONNECTING -> ACTIVE
>
>
> but I didn't see FreeRadius server listen port 1812
> before I use tacacs module, my radiusd could print logs as below:
> Listening on auth address 10.76.xx.xx port 1812
> Listening on auth address 169.254.195.0 port 1812
> Listening on auth address 127.0.0.1 port 1812
> Listening on auth address ::1 port 1812
> Listening on command file /var/opt/run/radiusd.sock
> but with talacs module, no such log, so my login to shell failed due to
> request not send to radiusd port 1812
>
> my request flow is :
> login to Shell to one server which running FreeRadius with rlm_tacacs
> module, the username/password will send to FreeRadius via port 1812, and
> radiusd will send request to remote Tacacs server which configed in tacacs
> module, my example is 10.76.x.x with port 49
> from log seems virtual server could connect the remote tacacs serve with
> port 49, but can't receive auth request from port 1812, what is the problem
> here?
> thanks,
> Bryan
>
> On Thu, Apr 24, 2025 at 9:46 AM bryan xiang <bryanxiang82 at gmail.com>
> wrote:
>
>> Thank you Alan for the quick response, glad to know you can reproduce it
>> in local
>> When the master branch will include your code?
>> after you fix it, you could see below log in your local?
>> Listening on auth address xx.xx.xx.xx port 1812
>> Listening on auth address 169.254.195.0 port 1812
>> Listening on auth address 127.0.0.1 port 1812
>> Listening on auth address ::1 port 1812
>> Listening on command file /var/opt/run/radiusd.sock
>> Ready to process requests
>>
>> thanks,
>> Bryan
>>
>> On Wed, Apr 23, 2025 at 11:47 PM Alan DeKok <aland at deployingradius.com>
>> wrote:
>>
>>> On Apr 23, 2025, at 10:34 AM, bryan xiang <bryanxiang82 at gmail.com>
>>> wrote:
>>> > I use the latest FreeRadius 4.0 from github and I only use the
>>> rlm_tacacs
>>> > module build in FreeRadius
>>>
>>> I don't think that module is included in the testing framework. It
>>> hasn't really seen any code changes in a while.
>>>
>>> > When I try to start the radiusd daemon with -X, I encounter one segV
>>> error,
>>> > and start option with -XC has no problem for configuration
>>> > ...
>>> > Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp"
>>> > CAUGHT SIGNAL: Segmentation fault
>>> > Backtrace of last 11 frames:
>>> > /opt/LU3P/lib64/libfreeradius-util.so(+0x32fc9)[0x7f2d3e4e3fc9]
>>> > /opt/LU3P/lib64/libfreeradius-util.so(fr_fault+0x75)[0x7f2d3e4e4465]
>>> > /lib64/libpthread.so.0(+0x12d10)[0x7f2d3c454d10]
>>> > /opt/LU3P/lib64/rlm_tacacs_tcp.so(+0x266f)[0x7f2d339f266f]
>>> >
>>> /opt/LU3P/lib64/libfreeradius-server.so(module_thread_instantiate+0xda)[0x7f2d3dff1e3a]
>>> >
>>> /opt/LU3P/lib64/libfreeradius-server.so(modules_thread_instantiate+0x65)[0x7f2d3dff2045]
>>> > /opt/LU3P/sbin/radiusd[0x4056d1]
>>> >
>>> /opt/LU3P/lib64/libfreeradius-io.so(fr_schedule_create+0x126)[0x7f2d3dae4d16]
>>> > /opt/LU3P/sbin/radiusd(main+0xdff)[0x404bcf]
>>> > /lib64/libc.so.6(__libc_start_main+0xe5)[0x7f2d3bd5a7e5]
>>> > /opt/LU3P/sbin/radiusd(_start+0x2e)[0x40533e]
>>> > No panic action set
>>>
>>> Oops. :( When I try it locally, I see it crash, too.
>>>
>>> I've pushed a patch which makes it not crash. But I haven't tested
>>> the actual TACACS+ functionality.
>>>
>>> Alan DeKok.
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
More information about the Freeradius-Users
mailing list