how to get module reply attributes in authenticate module
bryan xiang
bryanxiang82 at gmail.com
Thu Oct 16 02:01:57 UTC 2025
Hello Experts:
I am testing customized rlm_jradius work with rlm_tacacs, the work flow is
auth request go to rlm_jradius module firstly, if return the user should go
to tacacs, then request will go to rlm_tacacs.
below is the site config:
server default {
namespace = radius
listen local{
type = Access-Request
type = Status-Server
transport = udp
udp {
ipaddr = 127.0.0.1
port = 1812
}
}
listen internal{
type = Access-Request
type = Status-Server
transport = udp
udp {
ipaddr = 169.254.195.0
port = 1812
}
}
listen external{
type = Access-Request
type = Status-Server
transport = udp
udp {
ipaddr = 10.76.56.89
port = 1812
}
}
authenticate JRADIUS {
jradius
if( ! ok && reply.Vendor-Specific.Lucent-VID.IsTacacsUser ==
"TRUE" ) {
subrequest @tacacs::Authentication-Start {
User-Name := parent.request.User-Name
#User-Password := parent.request.User-Password
Data := parent.request.User-Password
Packet.Version-Major := 0xC
Packet.Version-Minor := 0x1
Packet.Packet-Type := "Authentication"
Packet.Sequence-Number := 1
Packet.Flags := "None"
Packet.Session-Id := parent.request.Acct-Session-Id
Packet.Length := 0
Authentication-Type := "PAP"
Action := "Login"
Authentication-Service := "Login"
tacacs
if (reply.Authentication-Status == "Pass") {
parent.control.Auth-Type := "Accept"
} else {
parent.control.Auth-Type := "Reject"
}
}
}
}
recv Access-Request {
control.Auth-Type := ::JRADIUS
}
}
The question is I want to get some reply attributes from jradius and decide
if we should go to the subrequest for tacacs module, I tried some methods,
but the reply is null.
logs:
(5) Thu Oct 16 09:56:15 2025 : Debug : Time tracking started in yielded
state
(5) Thu Oct 16 09:56:15 2025 : Debug : Request resuming
(5) Thu Oct 16 09:56:15 2025 : Debug : default {
(5) Thu Oct 16 09:56:15 2025 : Debug : Received Access-Request ID 125
from 169.254.131.0:38924 to 169.254.195.0:1812 via int0
(5) Thu Oct 16 09:56:15 2025 : Debug : User-Name = "bryantest"
(5) Thu Oct 16 09:56:15 2025 : Debug : NAS-Identifier = "LCP_CLI"
(5) Thu Oct 16 09:56:15 2025 : Debug : Service-Type = Authenticate-Only
(5) Thu Oct 16 09:56:15 2025 : Debug : Calling-Station-Id =
"10.76.89.53"
(5) Thu Oct 16 09:56:15 2025 : Debug : NAS-IP-Address = 169.254.64.1
(5) Thu Oct 16 09:56:15 2025 : Debug : NAS-Port = 4021429
(5) Thu Oct 16 09:56:15 2025 : Debug : NAS-Port-Type = Virtual
(5) Thu Oct 16 09:56:15 2025 : Debug : User-Password = "testpass"
(5) Thu Oct 16 09:56:15 2025 : Debug : Net {
(5) Thu Oct 16 09:56:15 2025 : Debug : Src {
(5) Thu Oct 16 09:56:15 2025 : Debug : IP = 169.254.131.0
(5) Thu Oct 16 09:56:15 2025 : Debug : Port = 38924
(5) Thu Oct 16 09:56:15 2025 : Debug : }
(5) Thu Oct 16 09:56:15 2025 : Debug : Dst {
(5) Thu Oct 16 09:56:15 2025 : Debug : IP = 169.254.195.0
(5) Thu Oct 16 09:56:15 2025 : Debug : Port = 1812
(5) Thu Oct 16 09:56:15 2025 : Debug : }
(5) Thu Oct 16 09:56:15 2025 : Debug : Timestamp =
"2025-10-16T01:56:15Z"
(5) Thu Oct 16 09:56:15 2025 : Debug : }
(5) Thu Oct 16 09:56:15 2025 : Debug : Packet-Type = Access-Request
(5) Thu Oct 16 09:56:15 2025 : Debug : No request.State attribute, can't
restore session-state
(5) Thu Oct 16 09:56:15 2025 : Debug : Running 'recv Access-Request'
from file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config
(5) Thu Oct 16 09:56:15 2025 : WARN : Module default returned 3-7
(5) Thu Oct 16 09:56:15 2025 : Debug : recv Access-Request {
(5) Thu Oct 16 09:56:15 2025 : Debug : control.Auth-Type := JRADIUS
(5) Thu Oct 16 09:56:15 2025 : Debug : } # recv Access-Request (noop)
(5) Thu Oct 16 09:56:15 2025 : Debug : Running 'authenticate JRADIUS'
from file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config
(5) Thu Oct 16 09:56:15 2025 : Debug : authenticate JRADIUS {
2025-10-16T09:56:15.721544+08:00: Debug : rlm_jradius: mod_jradius_call:
0x7f3da0fcbb80, 0x1210d10, 0x15cc590, 0x172f060
2025-10-16T09:56:15.721580+08:00: Debug : rlm_jradius: Reserving JRadius
socket id: 7
2025-10-16T09:56:15.721596+08:00: Debug : rlm_jradius: Got attribute
User-Name (vendor: 0, id: 1; len: 9, type: 1)
2025-10-16T09:56:15.721609+08:00: Debug : rlm_jradius: Packing attribute
User-Name (vendor: 0, id: 1; len: 9, type: 1)
2025-10-16T09:56:15.721664+08:00: Debug : rlm_jradius: Got attribute
NAS-Port (vendor: 0, id: 5; len: 0, type: 14)
2025-10-16T09:56:15.721670+08:00: Debug : rlm_jradius: Packing attribute
NAS-Port (vendor: 0, id: 5; len: 0, type: 14)
2025-10-16T09:56:15.721675+08:00: Debug : rlm_jradius: Got attribute
NAS-Port-Type (vendor: 0, id: 61; len: 0, type: 14)
2025-10-16T09:56:15.721680+08:00: Debug : rlm_jradius: Packing attribute
NAS-Port-Type (vendor: 0, id: 61; len: 0, type: 14)
2025-10-16T09:56:15.721685+08:00: Debug : rlm_jradius: Got attribute
User-Password (vendor: 0, id: 2; len: 8, type: 1)
2025-10-16T09:56:15.721690+08:00: Debug : rlm_jradius: Packing attribute
User-Password (vendor: 0, id: 2; len: 8, type: 1)
2025-10-16T09:56:15.721695+08:00: Debug : rlm_jradius: Got attribute Net
(vendor: 0, id: 60; len: 0, type: 25)
2025-10-16T09:56:15.721700+08:00: Debug : rlm_jradius: Got attribute
Packet-Type (vendor: 0, id: 1000; len: 0, type: 14)
2025-10-16T09:56:15.721705+08:00: Debug : rlm_jradius: packing packet with
code: 1 (attr length: 147)
2025-10-16T09:56:15.721717+08:00: Debug : rlm_jradius: packing packet with
code: 0 (attr length: 0)
2025-10-16T09:56:15.721722+08:00: Debug : rlm_jradius: Got attribute
Auth-Type (vendor: 0, id: 12; len: 0, type: 14)
2025-10-16T09:56:15.721727+08:00: Debug : rlm_jradius: sending 192 bytes to
socket 7
2025-10-16T09:56:15.790878+08:00: Debug : rlm_jradius: read 230 bytes at
once
2025-10-16T09:56:15.790919+08:00: Debug : rlm_jradius: return code 8;
receiving 2 packets
2025-10-16T09:56:15.790926+08:00: Debug : rlm_jradius: reading packet:
code=1 len=147
2025-10-16T09:56:15.790939+08:00: Debug : rlm_jradius: reading attribute:
type=1; len=9
2025-10-16T09:56:15.790955+08:00: Debug : rlm_jradius: attribute from dict:
vendor=0; id=1, name=User-Name, type=1, vp_ptr=(nil)
2025-10-16T09:56:15.790971+08:00: Debug : rlm_jradius: attribute after
strndup: vendor=0; id=1, name=User-Name, type=1, vp_ptr=0x7f3d88094dd0,
buff=0x7f3da0fbb970
2025-10-16T09:56:15.790979+08:00: Debug : rlm_jradius: insert_tail,
vps=0x7f3d88091f18, vp=0x7f3d88099410
2025-10-16T09:56:15.790984+08:00: Debug : rlm_jradius: reading attribute:
type=32; len=7
2025-10-16T09:56:15.791020+08:00: Debug : rlm_jradius: attribute from dict:
vendor=0; id=32, name=NAS-Identifier, type=1, vp_ptr=(nil)
2025-10-16T09:56:15.791029+08:00: Debug : rlm_jradius: attribute after
strndup: vendor=0; id=32, name=NAS-Identifier, type=1,
vp_ptr=0x7f3d88098800, buff=0x7f3da0fbb970
2025-10-16T09:56:15.791152+08:00: Debug : rlm_jradius: insert_tail,
vps=0x7f3d88091f18, vp=0x7f3d88097fb0
2025-10-16T09:56:15.791157+08:00: Debug : rlm_jradius: reading packet:
code=3 len=37
2025-10-16T09:56:15.791161+08:00: Info : rlm_jradius: changing packet code
from 0 to 3
2025-10-16T09:56:15.791166+08:00: Debug : rlm_jradius: reading attribute:
type=244383759; len=4
2025-10-16T09:56:15.791191+08:00: Debug : rlm_jradius: attribute from dict:
vendor=3729; id=15, name=*IsTacacsUser*, type=1, vp_ptr=(nil)
2025-10-16T09:56:15.791199+08:00: Debug : rlm_jradius: attribute after
strndup: vendor=3729; id=15, name=IsTacacsUser, type=1,
vp_ptr=0x7f3d88097740, buff=0x7f3da0fbb970
2025-10-16T09:56:15.791205+08:00: Debug : rlm_jradius: insert_tail,
vps=0x7f3d88092008, vp=0x7f3d880980b0
2025-10-16T09:56:15.791210+08:00: Debug : rlm_jradius: reading attribute:
type=244383760; len=9
2025-10-16T09:56:15.791215+08:00: Debug : rlm_jradius: attribute from dict:
vendor=3729; id=16, name=TacacsUserName, type=1, vp_ptr=(nil)
2025-10-16T09:56:15.791221+08:00: Debug : rlm_jradius: attribute after
strndup: vendor=3729; id=16, name=TacacsUserName, type=1,
vp_ptr=0x7f3d880385b0, buff=0x7f3da0fbb970
2025-10-16T09:56:15.791227+08:00: Debug : rlm_jradius: insert_tail,
vps=0x7f3d88092008, vp=0x7f3d88097340
2025-10-16T09:56:15.791231+08:00: Debug : rlm_jradius: reading request:
config_item: len=16
2025-10-16T09:56:15.791237+08:00: Debug : rlm_jradius: reading attribute:
type=1000; len=4
2025-10-16T09:56:15.791242+08:00: Debug : rlm_jradius: attribute from dict:
vendor=0; id=1000, name=Packet-Type, type=14, vp_ptr=(nil)
2025-10-16T09:56:15.791248+08:00: Debug : rlm_jradius: insert_tail,
vps=0x7f3d880920f8, vp=0x7f3d88098870
2025-10-16T09:56:15.791252+08:00: Debug : rlm_jradius: Auth-type received -
4
2025-10-16T09:56:15.791270+08:00: Debug : rlm_jradius: Released JRadius
socket id: 7
2025-10-16T09:56:15.791323+08:00: Debug : rlm_jradius: rejected:
p_result=1, rcode=2
(5) Thu Oct 16 09:56:15 2025 : WARN : jradius - Module jradius
returned 2-1
(5) Thu Oct 16 09:56:15 2025 : Debug : jradius (fail)
(5) Thu Oct 16 09:56:15 2025 : Debug : if ( ! ok &&
reply.Vendor-Specific.Lucent-VID.IsTacacsUser == "TRUE" ) {
(5) Thu Oct 16 09:56:15 2025 : Debug : | &&
(5) Thu Oct 16 09:56:15 2025 : Debug : | !
(5) Thu Oct 16 09:56:15 2025 : Debug : | %logical_and()
(5) Thu Oct 16 09:56:15 2025 : Debug : | -- UNLANG
(5) Thu Oct 16 09:56:15 2025 : Debug : | ok
(5) Thu Oct 16 09:56:15 2025 : Debug : Request rcode is
'reject'
(5) Thu Oct 16 09:56:15 2025 : Debug : | %expr.rcode()
(5) Thu Oct 16 09:56:15 2025 : Debug : | --> false
(5) Thu Oct 16 09:56:15 2025 : Debug : | %unary_not({false})
(5) Thu Oct 16 09:56:15 2025 : Debug : | --> true
(5) Thu Oct 16 09:56:15 2025 : Debug : | ==
(5) Thu Oct 16 09:56:15 2025 : Debug : | %logical_and(...)
(5) Thu Oct 16 09:56:15 2025 : Debug : |
reply.Vendor-Specific.Lucent-VID.IsTacacsUser
(5) Thu Oct 16 09:56:15 2025 : Debug : |
%{reply.Vendor-Specific.Lucent-VID.IsTacacsUser}
(5) Thu Oct 16 09:56:15 2025 : Debug : * (null)*
(5) Thu Oct 16 09:56:15 2025 : Debug : | %cmp_eq({}{TRUE})
(5) Thu Oct 16 09:56:15 2025 : Debug : | --> false
(5) Thu Oct 16 09:56:15 2025 : Debug : | %logical_and(...)
(5) Thu Oct 16 09:56:15 2025 : Debug : | --> (null)
(5) Thu Oct 16 09:56:15 2025 : Debug : ...
(5) Thu Oct 16 09:56:15 2025 : Debug : }
(5) Thu Oct 16 09:56:15 2025 : Debug : } # authenticate JRADIUS (noop)
(5) Thu Oct 16 09:56:15 2025 : Debug : rcode: 7
(5) Thu Oct 16 09:56:15 2025 : Debug : Failed to authenticate the user 3
(5) Thu Oct 16 09:56:15 2025 : Debug : default (ok)
(5) Thu Oct 16 09:56:15 2025 : Debug : Setting rcode to 'ok'
(5) Thu Oct 16 09:56:15 2025 : Debug : } # default (ok)
(5) Thu Oct 16 09:56:15 2025 : Debug : Setting rcode to 'ok'
(5) Thu Oct 16 09:56:15 2025 : Debug : Enter
unlang_interpret_request_done, typpe=0
(5) Thu Oct 16 09:56:15 2025 : Debug : Done request
(5) Thu Oct 16 09:56:15 2025 : Debug : Time tracking ended
(5) Thu Oct 16 09:56:15 2025 : Debug : XXXXXXXXXX
(5) Thu Oct 16 09:56:15 2025 : Debug :
Vendor-Specific.Lucent-VID.*IsTacacsUser
*= "TRUE"
(5) Thu Oct 16 09:56:15 2025 : Debug :
Vendor-Specific.Lucent-VID.TacacsUserName = "bryantest"
(5) Thu Oct 16 09:56:15 2025 : Debug : Packet-Type = Access-Reject
so my subrequest for tacacs did not run, could you help me how to get the
jradius replied attributes?
regards,
Bryan
More information about the Freeradius-Users
mailing list