Start FreeRadius 4.0 with rlm_tacacs failed due to segV error
bryan xiang
bryanxiang82 at gmail.com
Fri Apr 25 09:18:16 UTC 2025
Hi Alan,
I have some good progress, but still failed in last step, seems TACACS
server already send pass to FreeRadius, but FreeRadius report one error and
reject the request:
Debug : (0) Packet-Type = Access-Request
Debug : (0) Running 'recv Access-Request' from file
/etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config
Debug : (0) recv Access-Request {
Debug : (0) subrequest @tacacs::Authentication-Start {
Debug : (0.0) User-Name := "testuser1"
Debug : (0.0) Data := "testpass123"
Debug : (0.0) Packet.Version-Major := 12
Debug : (0.0) Packet.Version-Minor := 1
Debug : (0.0) Packet.Packet-Type := Authentication
Debug : (0.0) Packet.Sequence-Number := 1
Debug : (0.0) Packet.Flags := None
Debug : (0.0) Packet.Length := 0
Debug : (0.0) Authentication-Type := PAP
Debug : (0.0) Action := LOGIN
Debug : (0.0) Authentication-Service := LOGIN
Debug : (0.0) tacacs - tacacs - [1] Trunk connection assigned
request 1
Debug : (0.0) tacacs - Sending Authentication-Start ID 1 length 0
over connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49
Debug : (0.0) tacacs - Packet-Type = Authentication-Start
Debug : (0.0) tacacs - User-Name = "testuser1"
Debug : (0.0) tacacs - Data = 0x7465737470617373313233
Debug : (0.0) tacacs - Packet {
Debug : (0.0) tacacs - Version-Major = Plus
Debug : (0.0) tacacs - Version-Minor = 1
Debug : (0.0) tacacs - Packet-Type = Authentication
Debug : (0.0) tacacs - Sequence-Number = 1
Debug : (0.0) tacacs - Flags = None
Debug : (0.0) tacacs - Session-Id = 2032895623
Debug : (0.0) tacacs - Length = 0
Debug : (0.0) tacacs - }
Debug : (0.0) tacacs - Authentication-Type = PAP
Debug : (0.0) tacacs - Action = LOGIN
Debug : (0.0) tacacs - Authentication-Service = LOGIN
Debug : (0.0) tacacs - Received Authentication-Pass ID 2 length 18
reply packet on connection proto tcp local 0.0.0.0 port 0 remote
10.76.89.50 port 49
Debug : (0.0) tacacs - Packet {
Debug : (0.0) tacacs - Version-Major = Plus
Debug : (0.0) tacacs - Version-Minor = 1
Debug : (0.0) tacacs - Packet-Type = Authentication
Debug : (0.0) tacacs - Sequence-Number = 2
Debug : (0.0) tacacs - Flags = None
Debug : (0.0) tacacs - Session-Id = 2032895623
Debug : (0.0) tacacs - Length = 6
Debug : (0.0) tacacs - }
Debug : (0.0) tacacs - Packet-Body-Type = Reply
Debug : (0.0) tacacs - Authentication-Status = Pass
Debug : (0.0) tacacs - Authentication-Flags = 0
Debug : (0.0) tacacs - Server-Message = ""
Debug : (0.0) tacacs - Data = 0x
Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote
10.76.89.50 port 49 failed: No additional error information
Debug : tacacs - [1] - Signalled to reconnect from CONNECTED state
Debug : tacacs - [1] - Connection changed state CONNECTED -> FAILED
Debug : tacacs - [1] - Connection changed state FAILED -> CLOSED
Info : tacacs - [1] Trunk connection changed state ACTIVE -> CLOSED
Debug : tacacs - Connection closed - proto tcp local 0.0.0.0 port 0 remote
10.76.89.50 port 49
Debug : tacacs - [1] - Delaying reconnection by 1s
Debug : (0.0) tacacs - tacacs - Resuming execution
Debug : (0.0) tacacs (ok)
Debug : (0) subrequest @tacacs::Authentication-Start - Resuming
execution
Debug : (0) } # subrequest @tacacs::Authentication-Start (ok)
Debug : (0) } # recv Access-Request (ok)
Debug : (0) No 'Auth-Type' attribute found, cannot authenticate the user
- rejecting the request
Debug : (0) default (ok)
Debug : (0) } # default (ok)
Debug : (0) Done request
Debug : (0) Sending Access-Reject ID 83 from 0.0.0.0/0:1812 to
169.254.131.1:54808 length 38 via socket radius_udp server 169.254.195.0
port 1812
Debug : (0) * Packet-Type = Access-Reject*
Debug : (0) Finished request
virtual server config:
#
# Does nothing other than send packets. It doesn't listen on any input
sockets.
#
server default {
namespace = radius
listen {
type = Access-Request
type = Status-Server
transport = udp
udp {
ipaddr = 169.254.195.0
port = 1812
}
}
recv Access-Request {
subrequest @tacacs::Authentication-Start {
User-Name := parent.request.User-Name
#User-Password := parent.request.User-Password
Data := parent.request.User-Password
Packet.Version-Major := 0xC # or "Plus" if using VALUE
mapping
Packet.Version-Minor := 0x1
Packet.Packet-Type := "Authentication"
Packet.Sequence-Number := 1
Packet.Flags := "None"
Packet.Session-Id := parent.request.Acct-Session-Id
Packet.Length := 0
Authentication-Type := "PAP"
Action := "Login"
Authentication-Service := "Login"
tacacs
}
}
}
seems the Radius can't identify the TACACS auth success or not or some
other config needed such as
&control.Auth-Type := &Authentication-Type
On Fri, Apr 25, 2025 at 10:50 AM bryan xiang <bryanxiang82 at gmail.com> wrote:
> Seems I got the reply error:
>
> Debug : (0.0) tacacs - Packet {
> Debug : (0.0) tacacs - Version-Major = Plus
> Debug : (0.0) tacacs - Version-Minor = 0
> Debug : (0.0) tacacs - Packet-Type = Authentication
> Debug : (0.0) tacacs - Sequence-Number = 2
> Debug : (0.0) tacacs - Flags = None
> Debug : (0.0) tacacs - Session-Id = 3666625090
> Debug : (0.0) tacacs - Length = 49
> Debug : (0.0) tacacs - }
> Debug : (0.0) tacacs - Packet-Body-Type = Reply
> Debug : (0.0) tacacs - Authentication-Status = Error
> Debug : (0.0) tacacs - Authentication-Flags = 0
> Debug : (0.0) * tacacs - Server-Message = "10.76.89.51 : Invalid
> AUTHEN/START action=0"*
> Debug : (0.0) tacacs - Data = 0x
> Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote
> 10.76.89.50 port 49 failed: No additional error information
>
> in virtual server config, after subrequest, this will call : tacacs
> module, the /module/tacacs config like:
>
> # cat /etc/opt/LU3Pfreeradius-server/modules/tacacs
> # modules {
> tacacs {
> transport = tcp
> type = Authentication-Start
> type = Authentication-Continue
> type = Authorization-Request
> type = Accounting-Request
>
> tcp {
> ipaddr = 10.76.89.50
> port = 49
> secret = testkey123
> }
>
> pool {
> start = 1
> min = 1
> max = 1
>
> }
> }
> # }
>
> On Fri, Apr 25, 2025 at 10:36 AM bryan xiang <bryanxiang82 at gmail.com>
> wrote:
>
>> I update my virtual server config as below, but seems request sendout
>> failure
>>
>> server default {
>> namespace = radius
>>
>> listen {
>> type = Access-Request
>> type = Status-Server
>> transport = udp
>> udp {
>> ipaddr = 169.254.195.0
>> port = 1812
>> }
>> }
>>
>> recv Access-Request {
>> subrequest @tacacs::Authentication-Start {
>> User-Name := parent.request.User-Name
>> User-Password := parent.request.User-Password
>> Packet.Version-Major := 0xC
>> Packet.Version-Minor := 0x0
>> Packet.Packet-Type := "Authentication"
>> Packet.Sequence-Number := 1
>> Packet.Flags := "None"
>> Packet.Session-Id := 12345678
>> Packet.Length := 0
>>
>> tacacs
>> }
>>
>> }
>>
>>
>> }
>>
>> Debug : (0.0) tacacs - Sending Authentication-Start ID 31 length
>> 29 over connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49
>> Debug : (0.0) tacacs - Packet-Type = Authentication-Start
>> Debug : (0.0) tacacs - User-Name = "testuser1"
>> Debug : (0.0) tacacs - User-Password = "testpass123"
>> Debug : (0.0) tacacs - Packet {
>> Debug : (0.0) tacacs - Version-Major = Plus
>> Debug : (0.0) tacacs - Version-Minor = 0
>> Debug : (0.0) tacacs - Packet-Type = Authentication
>> Debug : (0.0) tacacs - Sequence-Number = 1
>> Debug : (0.0) tacacs - Flags = None
>> Debug : (0.0) tacacs - Session-Id = 12345678
>> Debug : (0.0) tacacs - Length = 0
>> Debug : (0.0) tacacs - }
>> ERROR : (0) ERROR: Request has reached max_request_time -
>> signalling it to stop
>> Debug : (0) Done request
>>
>> On Fri, Apr 25, 2025 at 9:24 AM bryan xiang <bryanxiang82 at gmail.com>
>> wrote:
>>
>>> Yes, I am doing the thing you suggested, I need to check how the Packet
>>> structure to Networks
>>> I can't assign the Packet-Type, even I use "Authentication" and 1, it
>>> will
>>> > init the packet-type to 0
>>> Any guideline about how to assign value for the Struct type defined in
>>> dictionary?
>>>
>>> recv Access-Request {
>>> subrequest @tacacs::Authentication-Start {
>>> User-Name := parent.request.User-Name
>>> User-Password := parent.request.User-Password
>>> *Packet.Packet-Type := 1*
>>> tacacs
>>> }
>>>
>>> }
>>>
>>> On Fri, Apr 25, 2025 at 8:32 AM Alan DeKok <aland at deployingradius.com>
>>> wrote:
>>>
>>>> On Apr 24, 2025, at 11:32 AM, bryan xiang <bryanxiang82 at gmail.com>
>>>> wrote:
>>>> >
>>>> > Thank you Alan for the explanation
>>>> > that make sense to provide the attributes to TACACS+ when change
>>>> protocol
>>>> > from Radius to TACACS+
>>>> > so beside the username/password, I need below attribute right?
>>>>
>>>> Yes... those are the attributes included with the server, in the
>>>> TACACS dictionary files. I'm aware of them.
>>>>
>>>> > I can't assign the Packet-Type, even I use "Authentication" and 1, it
>>>> will
>>>> > init the packet-type to 0
>>>> > for the namespace issue, I firstly type namespace as tacacs in the
>>>> virtual
>>>> > server, but seems it can't receive Radius request from port 1812, so I
>>>> > changed namespace from tacacs to radius, then the FreeRadius begin to
>>>> > listen the port 1812
>>>> > do you mean in the modules/tacacs, I still need to specify the
>>>> namespace as
>>>> > tacacs?
>>>>
>>>> What I said was to use the following configuration:
>>>>
>>>> >> recv Access-Request {
>>>> >> subrequest @tacacs::Authentication-Start {
>>>> >> User-Name := parent.request.User-Name
>>>> >> User-Name := parent.request.User-Password
>>>> >> ... fill in other attributes here, from
>>>> dictionary/tacacs/*
>>>> >>
>>>> >> tacacs
>>>> >>
>>>> >> }
>>>> >>
>>>> >>
>>>> >> You will have to edit this and double-check it, but the basic
>>>> concepts
>>>> >> are there.
>>>>
>>>> Instead of doing that, you're doing something else. Why?
>>>>
>>>> Alan DeKok.
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>
More information about the Freeradius-Users
mailing list