Start FreeRadius 4.0 with rlm_tacacs failed due to segV error

bryan xiang bryanxiang82 at gmail.com
Thu Apr 24 15:32:08 UTC 2025 

Thank you Alan for the explanation
that make sense to provide the attributes to TACACS+ when change protocol
from Radius to TACACS+
so beside the username/password, I need below attribute right?
DEFINE  Packet                                          struct
MEMBER          Version-Major                           bit[4]
VALUE   Version-Major                   Plus                    12

MEMBER          Version-Minor                           bit[4]
MEMBER          Packet-Type                             uint8
VALUE   Packet-Type                     Authentication          1
VALUE   Packet-Type                     Authorization           2
VALUE   Packet-Type                     Accounting              3

MEMBER          Sequence-Number                         uint8
MEMBER          Flags                                   uint8
VALUE   Flags                           None                    0
VALUE   Flags                           Unencrypted             1
VALUE   Flags                           Single-Connect          4
VALUE   Flags                           Unencrypted-Single-Connect 5

MEMBER          Session-Id                              uint32
MEMBER          Length                                  uint32

I can't assign the Packet-Type, even I use "Authentication" and 1, it will
init the packet-type to 0
for the namespace issue, I firstly type namespace as tacacs in the virtual
server, but seems it can't receive Radius request from port 1812, so I
changed namespace from tacacs to radius, then the FreeRadius begin to
listen the port 1812
do you mean in the modules/tacacs, I still need to specify the namespace as
tacacs?


On Thu, Apr 24, 2025 at 6:51 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Apr 24, 2025, at 5:12 AM, bryan xiang <bryanxiang82 at gmail.com> wrote:
> >
> > I changed some virtual server side config and tried to logon with
> > testuser1/testpass123, the error from tacacs is an encoding error.
>
>   Two things.  First, you have to say what attributes are going into the
> TACACS+ packet.  The server can't just invent things.
>
>   Second, the rlm_tacacs module can only be run within a 'tacacs'
> namespace.  This is one of the major differences between v3 and v4.
>
>   If you want to receive a RADIUS Access-Request and then send a TACACS+
> packet, you will have to change namespaces.  See
> https://www.freeradius.org/documentation/freeradius-server/4.0.0/reference/unlang/subrequest.html
>
>
> recv Access-Request {
>         subrequest @tacacs::Authentication-Start {
>                 User-Name := parent.request.User-Name
>                 User-Name := parent.request.User-Password
>                 ... fill in other attributes here, from dictionary/tacacs/*
>
>                 tacacs
>
>         }
>
>
>   You will have to edit this and double-check it, but the basic concepts
> are there.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list