Start FreeRadius 4.0 with rlm_tacacs failed due to segV error

bryan xiang bryanxiang82 at gmail.com
Mon Apr 28 00:29:44 UTC 2025 

Thank you Alan

I tried your suggestion and add check in the subrequest scope, I can see
the reply attribute but seems can't set the Auth-Type successfully. the
config file as below:
        recv Access-Request {
#       if (User-Name =~ /^testuser$/) {
             subrequest @tacacs::Authentication-Start {
                User-Name := parent.request.User-Name
                #User-Password := parent.request.User-Password
                Data := parent.request.User-Password
                Packet.Version-Major := 0xC   # or "Plus" if using VALUE
mapping
                Packet.Version-Minor := 0x1
                Packet.Packet-Type := "Authentication"
                Packet.Sequence-Number := 1
                Packet.Flags := "None"
                Packet.Session-Id := parent.request.Acct-Session-Id
                Packet.Length := 0
                Authentication-Type := "PAP"
                Action := "Login"
                Authentication-Service := "Login"
                tacacs


*                if (&reply.Authentication-Status == "Pass") {
      &control.Auth-Type := "Accept"                  }*
                }
           }

Debug : tacacs - [1] - Delaying reconnection by 1s
Debug : (0.0)        tacacs - tacacs - Resuming execution
Debug : (0.0)        tacacs (ok)







*Debug : (0.0)        if (&reply.Authentication-Status == "Pass")  {Debug :
(0.0)          | ==Debug : (0.0)              |
&reply.Authentication-StatusDebug : (0.0)                |
&reply.Authentication-StatusDebug : (0.0)                | --> PassDebug :
(0.0)          | %cmp_eq({Pass}{Pass})Debug : (0.0)          | -->
trueDebug : (0.0)          control.Auth-Type := Accept*
Debug : (0.0)        } # if (&reply.Authentication-Status == "Pass")  (noop)
Debug : (0)        subrequest @tacacs::Authentication-Start - Resuming
execution
Debug : (0)      } # subrequest @tacacs::Authentication-Start (ok)
Debug : (0)    } # recv Access-Request (ok)
*Debug : (0)    No 'Auth-Type' attribute found, cannot authenticate the
user - rejecting the request*
Debug : (0)    default (ok)
Debug : (0)  } # default (ok)

On Mon, Apr 28, 2025 at 7:59 AM Alan DeKok <aland at deployingradius.com>
wrote:

>
> On Apr 27, 2025, at 11:21 AM, bryan xiang <bryanxiang82 at gmail.com> wrote:
> >
> > whatever the auth success or fail, seems the tacacs module always report
> > ok, so back to caller side, seems radius can't decide the auth fail or
> not
>
>   Hmm,, yes.  I'll take a look, but I can't promise anything quick.
>
> > *I also tried to get the tacacs attributes in the caller side, but not
> help
> > because the connection was closed by remote side*
>
>   Huh?  The attributes are available in the "reply" list, even if the
> connection was closed.
>
>   But you have to look at the attributes in the "subrequest" block.  And
> then from the debug output, even if you did that, the TACACS+ server isn't
> sending any attributes.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list