Start FreeRadius 4.0 with rlm_tacacs failed due to segV error

bryan xiang bryanxiang82 at gmail.com
Sat Apr 26 15:23:10 UTC 2025 

Hi Alan,

If I hardcode at the end of the Access-Request, it could pass, but how Can
I add condition to check if tacacs return ok or not and then do the
Auth-Type?

        recv Access-Request {
             subrequest @tacacs::Authentication-Start {
                User-Name := parent.request.User-Name
                #User-Password := parent.request.User-Password
                Data := parent.request.User-Password
                Packet.Version-Major := 0xC   # or "Plus" if using VALUE
mapping
                Packet.Version-Minor := 0x1
                Packet.Packet-Type := "Authentication"
                Packet.Sequence-Number := 1
                Packet.Flags := "None"
                Packet.Session-Id := parent.request.Acct-Session-Id
                Packet.Length := 0
                Authentication-Type := "PAP"
                Action := "Login"
                Authentication-Service := "Login"
                tacacs
                }
  *              control.Auth-Type := "Accept"*
       }

On Fri, Apr 25, 2025 at 10:31 PM bryan xiang <bryanxiang82 at gmail.com> wrote:

> Yes Alan, I ever tried to do this, but seems when subrequest module
> returned, the caller ( radius) did not see the Auth-type too.
>
> Debug : tacacs - [1] - Signalled to reconnect from CONNECTED state
> Debug : tacacs - [1] - Connection changed state CONNECTED -> FAILED
> Debug : tacacs - [1] - Connection changed state FAILED -> CLOSED
> Info  : tacacs - [1] Trunk connection changed state ACTIVE -> CLOSED
> Debug : tacacs - Connection closed - proto tcp local 0.0.0.0 port 0 remote
> 10.76.89.50 port 49
> Debug : tacacs - [1] - Delaying reconnection by 1s
> Debug : (0.0)        tacacs - tacacs - Resuming execution
> Debug : (0.0)        tacacs (ok)
> Debug : (0)        subrequest @tacacs::Authentication-Start - Resuming
> execution
> Debug : (0)      } # subrequest @tacacs::Authentication-Start (ok)
> Debug : (0)      *Auth-Type := Accept*
> Debug : (0)    } # recv Access-Request (ok)
> *Debug : (0)    No 'Auth-Type' attribute found, cannot authenticate the
> user - rejecting the request*
> Debug : (0)    default (ok)
> Debug : (0)  } # default (ok)
> Debug : (0)  Done request
> Debug : (0)  Sending Access-Reject ID 83 from 0.0.0.0/0:1812 to
> 169.254.131.1:54808 length 38 via socket radius_udp server 169.254.195.0
> port 1812
>
> On Fri, Apr 25, 2025 at 6:09 PM Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Apr 25, 2025, at 5:18 AM, bryan xiang <bryanxiang82 at gmail.com> wrote:
>> > I have some good progress, but still failed in last step, seems TACACS
>> > server already send pass to FreeRadius, but FreeRadius report one error
>> and
>> > reject the request:
>> > ...
>> > Debug : (0.0)        tacacs - Received Authentication-Pass ID 2 length
>> 18
>> > reply packet on connection proto tcp local 0.0.0.0 port 0 remote
>> > 10.76.89.50 port 49
>> > ...
>> > Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote
>> > 10.76.89.50 port 49 failed: No additional error information
>>
>>   I suspect that the other end just closed the connection after one
>> packet.  This is actually normal for TACACS+.
>>
>> > ...
>> > Debug : (0)    } # recv Access-Request (ok)
>> > Debug : (0)    No 'Auth-Type' attribute found, cannot authenticate the
>> user
>> > - rejecting the request
>>
>>   So... configure FreeRADIUS to authenticate the user?  i.e. uif the
>> TACACS+ module returns "ok", set Auth-Type = Accept.
>>
>>   Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>

More information about the Freeradius-Users mailing list