Start FreeRadius 4.0 with rlm_tacacs failed due to segV error

[bryan xiang]

Thank you Alan for your detailed explanation

Yes, last time's config has some change, so I changed back to the previous
version configuration and set parent.control.Auth-Type in subrequest, then
it finally working, thanks so much!

Right, one thing for my last  config, is it one bug or enhance if set
Auth-Type like below manner?
        recv Access-Request {
            if (User-Name =~ /^testuser1$/) {
                control.Auth-Type := ::TACACS
            }
        authenticate TACACS {
             subrequest @tacacs::Authentication-Start {
                User-Name := parent.request.User-Name
                #User-Password := parent.request.User-Password
                Data := parent.request.User-Password
                Packet.Version-Major := 0xC   # or "Plus" if using VALUE
mapping
                Packet.Version-Minor := 0x1
                Packet.Packet-Type := "Authentication"
                Packet.Sequence-Number := 1
                Packet.Flags := "None"
                Packet.Session-Id := parent.request.Acct-Session-Id
                Packet.Length := 0
                Authentication-Type := "PAP"
                Action := "Login"
                Authentication-Service := "Login"
                tacacs
                if (&reply.Authentication-Status == "Pass") {
                    parent.control.Auth-Type := "Accept"
                 }
                }
      }

with this config, even I set parent.control.Auth-Type in subrequest, login
with right/wrong password, all get Authenticated success
because the subrequest return ok seems so

regards,
Bryan


On Mon, Apr 28, 2025 at 10:16 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Apr 28, 2025, at 9:39 AM, bryan xiang <bryanxiang82 at gmail.com> wrote:
> > OK, I see  When the child request has finished execution, it is freed
> > but if I can't set it in subrequest, I can't get the attribute:
> > Authentication-Status result from reply
> > so, here the only way I can count on is the tacacs module return
> > code(always return ok regardless auth success/fail)
>
>   You can set "parent.control.Auth-Type" inside of the subrequest.
>
>   My concern here is that the approach I see you taking is largely to make
> random changes.  This is pretty much guaranteed to not make progress.
>
>   Instead, of you understand how things work, it's much easier to see what
> needs to be done.  i.e. If there is a relationship between a parent and
> child request, then you can reference the parent from the child.  But after
> the child has returned, you cannot reference the child from the parent.
>
> > since you are working on the return code of tacacs module, seems this is
> > the only way to decide the auth success or not because Reply attribute in
> > subrequest can't be reused after the subrequest finish execution, the
> > parent can't rely on the Auth-type setting in subrequest.
>
>   The child can do:
>
>         parent.control.Auth_Type := Accept
>
>   At this point, I think I can't answer any more questions.  I've pointed
> you to the documentation, and how to get things done.  Unless you report a
> bug, I'll have to ask you to go through the documentation and follow what
> it says.
>
>   I can't continue to summarize the documentation in emails to this list.
> Everything I'm saying is in the documentation.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>