Start FreeRadius 4.0 with rlm_tacacs failed due to segV error
bryan xiang
bryanxiang82 at gmail.com
Fri Apr 25 02:50:40 UTC 2025
Seems I got the reply error:
Debug : (0.0) tacacs - Packet {
Debug : (0.0) tacacs - Version-Major = Plus
Debug : (0.0) tacacs - Version-Minor = 0
Debug : (0.0) tacacs - Packet-Type = Authentication
Debug : (0.0) tacacs - Sequence-Number = 2
Debug : (0.0) tacacs - Flags = None
Debug : (0.0) tacacs - Session-Id = 3666625090
Debug : (0.0) tacacs - Length = 49
Debug : (0.0) tacacs - }
Debug : (0.0) tacacs - Packet-Body-Type = Reply
Debug : (0.0) tacacs - Authentication-Status = Error
Debug : (0.0) tacacs - Authentication-Flags = 0
Debug : (0.0) * tacacs - Server-Message = "10.76.89.51 : Invalid
AUTHEN/START action=0"*
Debug : (0.0) tacacs - Data = 0x
Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote
10.76.89.50 port 49 failed: No additional error information
in virtual server config, after subrequest, this will call : tacacs module,
the /module/tacacs config like:
# cat /etc/opt/LU3Pfreeradius-server/modules/tacacs
# modules {
tacacs {
transport = tcp
type = Authentication-Start
type = Authentication-Continue
type = Authorization-Request
type = Accounting-Request
tcp {
ipaddr = 10.76.89.50
port = 49
secret = testkey123
}
pool {
start = 1
min = 1
max = 1
}
}
# }
On Fri, Apr 25, 2025 at 10:36 AM bryan xiang <bryanxiang82 at gmail.com> wrote:
> I update my virtual server config as below, but seems request sendout
> failure
>
> server default {
> namespace = radius
>
> listen {
> type = Access-Request
> type = Status-Server
> transport = udp
> udp {
> ipaddr = 169.254.195.0
> port = 1812
> }
> }
>
> recv Access-Request {
> subrequest @tacacs::Authentication-Start {
> User-Name := parent.request.User-Name
> User-Password := parent.request.User-Password
> Packet.Version-Major := 0xC
> Packet.Version-Minor := 0x0
> Packet.Packet-Type := "Authentication"
> Packet.Sequence-Number := 1
> Packet.Flags := "None"
> Packet.Session-Id := 12345678
> Packet.Length := 0
>
> tacacs
> }
>
> }
>
>
> }
>
> Debug : (0.0) tacacs - Sending Authentication-Start ID 31 length 29
> over connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49
> Debug : (0.0) tacacs - Packet-Type = Authentication-Start
> Debug : (0.0) tacacs - User-Name = "testuser1"
> Debug : (0.0) tacacs - User-Password = "testpass123"
> Debug : (0.0) tacacs - Packet {
> Debug : (0.0) tacacs - Version-Major = Plus
> Debug : (0.0) tacacs - Version-Minor = 0
> Debug : (0.0) tacacs - Packet-Type = Authentication
> Debug : (0.0) tacacs - Sequence-Number = 1
> Debug : (0.0) tacacs - Flags = None
> Debug : (0.0) tacacs - Session-Id = 12345678
> Debug : (0.0) tacacs - Length = 0
> Debug : (0.0) tacacs - }
> ERROR : (0) ERROR: Request has reached max_request_time -
> signalling it to stop
> Debug : (0) Done request
>
> On Fri, Apr 25, 2025 at 9:24 AM bryan xiang <bryanxiang82 at gmail.com>
> wrote:
>
>> Yes, I am doing the thing you suggested, I need to check how the Packet
>> structure to Networks
>> I can't assign the Packet-Type, even I use "Authentication" and 1, it will
>> > init the packet-type to 0
>> Any guideline about how to assign value for the Struct type defined in
>> dictionary?
>>
>> recv Access-Request {
>> subrequest @tacacs::Authentication-Start {
>> User-Name := parent.request.User-Name
>> User-Password := parent.request.User-Password
>> *Packet.Packet-Type := 1*
>> tacacs
>> }
>>
>> }
>>
>> On Fri, Apr 25, 2025 at 8:32 AM Alan DeKok <aland at deployingradius.com>
>> wrote:
>>
>>> On Apr 24, 2025, at 11:32 AM, bryan xiang <bryanxiang82 at gmail.com>
>>> wrote:
>>> >
>>> > Thank you Alan for the explanation
>>> > that make sense to provide the attributes to TACACS+ when change
>>> protocol
>>> > from Radius to TACACS+
>>> > so beside the username/password, I need below attribute right?
>>>
>>> Yes... those are the attributes included with the server, in the
>>> TACACS dictionary files. I'm aware of them.
>>>
>>> > I can't assign the Packet-Type, even I use "Authentication" and 1, it
>>> will
>>> > init the packet-type to 0
>>> > for the namespace issue, I firstly type namespace as tacacs in the
>>> virtual
>>> > server, but seems it can't receive Radius request from port 1812, so I
>>> > changed namespace from tacacs to radius, then the FreeRadius begin to
>>> > listen the port 1812
>>> > do you mean in the modules/tacacs, I still need to specify the
>>> namespace as
>>> > tacacs?
>>>
>>> What I said was to use the following configuration:
>>>
>>> >> recv Access-Request {
>>> >> subrequest @tacacs::Authentication-Start {
>>> >> User-Name := parent.request.User-Name
>>> >> User-Name := parent.request.User-Password
>>> >> ... fill in other attributes here, from
>>> dictionary/tacacs/*
>>> >>
>>> >> tacacs
>>> >>
>>> >> }
>>> >>
>>> >>
>>> >> You will have to edit this and double-check it, but the basic
>>> concepts
>>> >> are there.
>>>
>>> Instead of doing that, you're doing something else. Why?
>>>
>>> Alan DeKok.
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
More information about the Freeradius-Users
mailing list