Start FreeRadius 4.0 with rlm_tacacs failed due to segV error

bryan xiang bryanxiang82 at gmail.com
Sun Apr 27 15:21:49 UTC 2025 

whatever the auth success or fail, seems the tacacs module always report
ok, so back to caller side, seems radius can't decide the auth fail or not
Debug : (1.0)          tacacs - }
Debug : (1.0)          tacacs - Authentication-Type = PAP
Debug : (1.0)          tacacs - Action = LOGIN
Debug : (1.0)          tacacs - Authentication-Service = LOGIN
Debug : (1.0)        *tacacs - Received Authentication-Fail *ID 3 length 18
reply packet on connection proto tcp local 0.0.0.0 port 0 remote
10.76.89.50 port 49
Debug : (1.0)          tacacs - Packet {
Debug : (1.0)            tacacs - Version-Major = Plus
Debug : (1.0)            tacacs - Version-Minor = 1
Debug : (1.0)            tacacs - Packet-Type = Authentication
Debug : (1.0)            tacacs - Sequence-Number = 2
Debug : (1.0)            tacacs - Flags = None
Debug : (1.0)            tacacs - Session-Id = 401966282
Debug : (1.0)            tacacs - Length = 6
Debug : (1.0)          tacacs - }
Debug : (1.0)          tacacs - Packet-Body-Type = Reply
Debug : (1.0)          tacacs - *Authentication-Status = Fail*
Debug : (1.0)          tacacs - Authentication-Flags = 0
Debug : (1.0)          tacacs - Server-Message = ""
Debug : (1.0)          tacacs - Data = 0x
Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote
10.76.89.50 port 49 failed: No additional error information
Debug : tacacs - [1] - Signalled to reconnect from CONNECTED state
Debug : tacacs - [1] - Connection changed state CONNECTED -> FAILED
Debug : tacacs - [1] - Connection changed state FAILED -> CLOSED
Info  : tacacs - [1] Trunk connection changed state ACTIVE -> CLOSED
Debug : tacacs - Connection closed - proto tcp local 0.0.0.0 port 0 remote
10.76.89.50 port 49
Debug : tacacs - [1] - Delaying reconnection by 1s
Debug : (1.0)        tacacs - tacacs - Resuming execution
Debug : (1.0)        *tacacs (ok)*

*I also tried to get the tacacs attributes in the caller side, but not help
because the connection was closed by remote side*

On Sun, Apr 27, 2025 at 9:51 AM bryan xiang <bryanxiang82 at gmail.com> wrote:

> Yes, I am checking the examples and find one like below:
>
>         recv Access-Request {
>              subrequest @tacacs::Authentication-Start {
>                 User-Name := parent.request.User-Name
>                 #User-Password := parent.request.User-Password
>                 Data := parent.request.User-Password
>                 Packet.Version-Major := 0xC   # or "Plus" if using VALUE
> mapping
>                 Packet.Version-Minor := 0x1
>                 Packet.Packet-Type := "Authentication"
>                 Packet.Sequence-Number := 1
>                 Packet.Flags := "None"
>                 Packet.Session-Id := parent.request.Acct-Session-Id
>                 Packet.Length := 0
>                 Authentication-Type := "PAP"
>                 Action := "Login"
>                 Authentication-Service := "Login"
>                 tacacs
>                 }
>
>
> *                if (ok) {                        control.Auth-Type :=
> "Accept"                }*
>        }
>
> but even the auth fail in tacacs module, the tacacs module still return
> ok, so the module can catch the auth fail and reply module not ok right?
> Debug : (1.0)          tacacs - Packet {
> Debug : (1.0)            tacacs - Version-Major = Plus
> Debug : (1.0)            tacacs - Version-Minor = 1
> Debug : (1.0)            tacacs - Packet-Type = Authentication
> Debug : (1.0)            tacacs - Sequence-Number = 2
> Debug : (1.0)            tacacs - Flags = None
> Debug : (1.0)            tacacs - Session-Id = 2035888093
> Debug : (1.0)            tacacs - Length = 6
> Debug : (1.0)          tacacs - }
> Debug : (1.0)          tacacs - Packet-Body-Type = Reply
> Debug : (1.0)          tacacs - Authentication-Status = Fail
> Debug : (1.0)          tacacs - Authentication-Flags = 0
> Debug : (1.0)          tacacs - Server-Message = ""
> Debug : (1.0)          tacacs - Data = 0x
> Debug : (1.0)        tacacs - tacacs - Resuming execution
> Debug : (1.0)        *tacacs (ok)*
> Debug : (1)        subrequest @tacacs::Authentication-Start - Resuming
> execution
> Debug : (1)      } # subrequest @tacacs:*:Authentication-Start (ok)*
> Debug : (1)      if (ok)  {
> Debug : (1)        | ok
> Debug : (1)        | %expr.rcode()
> Debug : (1)        | --> true
> Debug : (1)        control.Auth-Type := Accept
> Debug : (1)      } # if (ok)  (noop)
> Debug : (1)    } # recv Access-Request (ok)
> Debug : (1)    default (ok)
> Debug : (1)  } # default (ok)
> Debug : (1)  Done request
>
> On Sat, Apr 26, 2025 at 11:25 PM Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Apr 26, 2025, at 11:23 AM, bryan xiang <bryanxiang82 at gmail.com> wrote:
>> > If I hardcode at the end of the Access-Request, it could pass, but how
>> Can
>> > I add condition to check if tacacs return ok or not and then do the
>> > Auth-Type?
>>
>>   The "default" virtual server has examples of setting Auth-Type.
>>
>>   Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>

More information about the Freeradius-Users mailing list