[defect]: tacacs module always return ok even auth failure #5567

Bryanjss · 2025-04-29T06:38:45Z

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

Hi Experts,

Recently I am testing the FreeRadius 4.0 with rlm_tacacs module, I use open source tac_plus server, from my test, even the remote tac_plus server report auth fail, the tacacs module always return ok, which lead my rlm_radius module Auth-Type has wrong value, so even the auth failure, I can login to my server with FreeRadius 4.0

the virtual server config:
server default {
namespace = radius

    listen {
            type = Access-Request
            type = Status-Server
            transport = udp
            udp {
                    ipaddr = 169.254.195.0
                    port = 1812
            }

    }


    authenticate TACACS {
         subrequest @tacacs::Authentication-Start {
            User-Name := parent.request.User-Name
            Data := parent.request.User-Password
            Packet.Version-Major := 0xC   # or "Plus" if using VALUE mapping
            Packet.Version-Minor := 0x1
            Packet.Packet-Type := "Authentication"
            Packet.Sequence-Number := 1
            Packet.Flags := "None"
            Packet.Session-Id := parent.request.Acct-Session-Id
            Packet.Length := 0
            Authentication-Type := "PAP"
            Action := "Login"
            Authentication-Service := "Login"
            # below module always return ok, so the caller part always think it is auth success
            tacacs
            #Add below part to workaround, but not help to set parent's Auth-Type
            if (reply.Authentication-Status == "Pass") {
                parent.control.Auth-Type := ::Accept
             }else{
                parent.control.Auth-Type := ::Reject
            }
            }

  }

    recv Access-Request {
        if (User-Name =~ /^testuser1$/) {
            control.Auth-Type := ::TACACS
        }
    }

    recv Status-Server {
    }

}

the tacacs module config:

modules {

tacacs {
transport = tcp
type = Authentication-Start
type = Authentication-Continue
type = Authentication-Error
type = Authentication-Fail

    tcp {
            ipaddr = 10.76.89.50
            port = 49
            secret = testkey123
    }
    pool {
            start = 1
            min = 1
            max = 1

    }

}

logs with auth failure:
Debug : (0) Running 'authenticate TACACS' from file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config
Debug : (0) authenticate TACACS {
Debug : (0) subrequest @TaCaCs::Authentication-Start {
Debug : (0.0) User-Name := "testuser1"
Debug : (0.0) Data := "newsys"
Debug : (0.0) Packet.Version-Major := 12
Debug : (0.0) Packet.Version-Minor := 1
Debug : (0.0) Packet.Packet-Type := Authentication
Debug : (0.0) Packet.Sequence-Number := 1
Debug : (0.0) Packet.Flags := None
Debug : (0.0) Packet.Length := 0
Debug : (0.0) Authentication-Type := PAP
Debug : (0.0) Action := LOGIN
Debug : (0.0) Authentication-Service := LOGIN
Debug : (0.0) tacacs - tacacs - [1] Trunk connection assigned request 1
Debug : (0.0) tacacs - Sending Authentication-Start ID 1 length 0 over connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49
Debug : (0.0) tacacs - Packet-Type = Authentication-Start
Debug : (0.0) tacacs - User-Name = "testuser1"
Debug : (0.0) tacacs - Data = 0x6e6577737973
Debug : (0.0) tacacs - Packet {
Debug : (0.0) tacacs - Version-Major = Plus
Debug : (0.0) tacacs - Version-Minor = 1
Debug : (0.0) tacacs - Packet-Type = Authentication
Debug : (0.0) tacacs - Sequence-Number = 1
Debug : (0.0) tacacs - Flags = None
Debug : (0.0) tacacs - Session-Id = 2509117284
Debug : (0.0) tacacs - Length = 0
Debug : (0.0) tacacs - }
Debug : (0.0) tacacs - Authentication-Type = PAP
Debug : (0.0) tacacs - Action = LOGIN
Debug : (0.0) tacacs - Authentication-Service = LOGIN
Debug : (0.0) tacacs - Received Authentication-Fail ID 3 length 18 reply packet on connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49
Debug : (0.0) tacacs - Packet {
Debug : (0.0) tacacs - Version-Major = Plus
Debug : (0.0) tacacs - Version-Minor = 1
Debug : (0.0) tacacs - Packet-Type = Authentication
Debug : (0.0) tacacs - Sequence-Number = 2
Debug : (0.0) tacacs - Flags = None
Debug : (0.0) tacacs - Session-Id = 2509117284
Debug : (0.0) tacacs - Length = 6
Debug : (0.0) tacacs - }
Debug : (0.0) tacacs - Packet-Body-Type = Reply
Debug : (0.0) tacacs - Authentication-Status = Fail
Debug : (0.0) tacacs - Authentication-Flags = 0
Debug : (0.0) tacacs - Server-Message = ""
Debug : (0.0) tacacs - Data = 0x
Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 failed: No additional error information
Debug : tacacs - [1] - Signalled to reconnect from CONNECTED state
Debug : tacacs - [1] - Connection changed state CONNECTED -> FAILED
Debug : tacacs - [1] - Connection changed state FAILED -> CLOSED
Info : tacacs - [1] Trunk connection changed state ACTIVE -> CLOSED
Debug : tacacs - Connection closed - proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49
Debug : tacacs - [1] - Delaying reconnection by 1s
Debug : (0.0) tacacs - tacacs - Resuming execution
Debug : (0.0) tacacs (ok)
Debug : (0.0) if (reply.Authentication-Status == "Pass") {
Debug : (0.0) | ==
Debug : (0.0) | reply.Authentication-Status
Debug : (0.0) | %{reply.Authentication-Status}
Debug : (0.0) | --> Fail
Debug : (0.0) | %cmp_eq({Fail}{Pass})
Debug : (0.0) | --> false
Debug : (0.0) ...
Debug : (0.0) }
Debug : (0.0) else {
Debug : (0.0) parent.control.Auth-Type := Reject
Debug : (0.0) } # else (noop)
Debug : (0) subrequest @TaCaCs::Authentication-Start - Resuming execution
Debug : (0) } # subrequest @TaCaCs::Authentication-Start (ok)
Debug : (0) } # authenticate TACACS (ok)
Debug : (0) default (ok)
Debug : (0) } # default (ok)
Debug : (0) Done request
Debug : (0) Sending Access-Accept ID 109 from 0.0.0.0/0:1812 to 169.254.131.1:58539 length 38 via socket radius_udp server 169.254.195.0 port 1812
Debug : (0) Packet-Type = Access-Accept
Debug : (0) Finished request

Log output from the FreeRADIUS daemon

Info  : Copyright 1999-2024 The FreeRADIUS server project and contributors
Info  : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info  : PARTICULAR PURPOSE
Info  : You may redistribute copies of FreeRADIUS under the terms of the
Info  : GNU General Public License
Info  : For more information about these matters, see the file named COPYRIGHT
Info  : Starting - reading configuration files ...
including configuration file /etc/opt/LU3Pfreeradius-server/radiusd.conf
including configuration file /etc/opt/LU3Pfreeradius-server/clients.conf
Including files in directory "/etc/opt/LU3Pfreeradius-server/modules/"
including configuration file /etc/opt/LU3Pfreeradius-server/modules/tacacs
including configuration file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config
Loaded module process_radius
Parsing initial logging configuration.
main {
  prefix = /opt/LU3P
  log {
    destination = files
    syslog_facility = daemon
    local_state_dir = "/opt/LU3P/var"
    logdir = "/opt/LU3P/var/log"
    file = /var/opt/log/freeradius-server/radius.log
    suppress_secrets = no
  }
}
Parsing security rules to bootstrap UID / GID / chroot / etc.
main {
  log {
  }
  security {
    allow_core_dumps = no
    allow_vulnerable_openssl = "no"
  }
  name = radiusd
  local_state_dir = "/opt/LU3P/var"
  run_dir = /var/opt/run
}
Parsing main configuration
main {
  server default {
    namespace = radius
    radius {
      Access-Request {
        session {
          timeout = 15
          max = 4096
        }
      }
    }
Loaded module proto_radius
    listen {
      type = Access-Request
      type = Status-Server
      transport = udp
Loaded module proto_radius_udp
      udp {
        ipaddr = 169.254.195.0
        port = 1812
        networks {
        }
        max_packet_size = 4096
        max_attributes = 255
      }
      limit {
        cleanup_delay = 5.0
        idle_timeout = 30.0
        nak_lifetime = 30.0
        max_connections = 1024
        max_clients = 256
        max_pending_packets = 256
      }
      priority {
        Access-Request = high
        Accounting-Request = low
        CoA-Request = normal
        Disconnect-Request = low
        Status-Server = now
      }
      log {
        ignored_clients = yes
      }
      require_message_authenticator = no
      limit_proxy_state = auto
    }
  }
  log {
  }
  security {
  }
  sbin_dir = "/opt/LU3P/sbin"
  logdir = /var/opt/log/freeradius-server
  radacctdir = /var/opt/log/freeradius-server/radacct
  reverse_lookups = no
  hostname_lookups = no
  max_request_time = 30
  pidfile = /var/opt/run/radiusd.pid
  debug_level = 0
  max_requests = 1024
  resources {
  }
  thread pool {
    num_networks = 1
Dynamically determined thread.workers = 2
    num_workers = 2
  }
  migrate {
  }
}
Info  : Switching to configured log settings
Debug : radiusd: #### Loading Clients ####
Debug :   client 127.0.0.1 {
Debug :     ipaddr = 127.0.0.1
Debug :     secret = <<< secret >>>
Debug :     shortname = sig03-oam-b
Debug :     require_message_authenticator = no
Debug :     limit_proxy_state = auto
Debug :     limit {
Debug :       max_connections = 16
Debug :       lifetime = 0
Debug :       idle_timeout = 30s
Debug :     }
Debug :   }
Debug :   client 169.254.64.0/20 {
Debug :     ipaddr = 169.254.64.0/20
Debug :     secret = <<< secret >>>
Debug :     shortname = sig03-oam-b
Debug :     require_message_authenticator = no
Debug :     limit_proxy_state = auto
Debug :     limit {
Debug :       max_connections = 16
Debug :       lifetime = 0
Debug :       idle_timeout = 30s
Debug :     }
Debug :   }
Debug :   client 169.254.128.0/17 {
Debug :     ipaddr = 169.254.128.0/17
Debug :     secret = <<< secret >>>
Debug :     shortname = sig03-oam-b
Debug :     require_message_authenticator = no
Debug :     limit_proxy_state = auto
Debug :     limit {
Debug :       max_connections = 16
Debug :       lifetime = 0
Debug :       idle_timeout = 30s
Debug :     }
Debug :   }
Info  : Debugger not attached
Info  : Configuration version: F7ADA142-02BA-4A1B-A34E-6A9CBB864A61
Info  : systemd watchdog is disabled
Info  : pre-suid-down capabilities: =ep
Warn  : trigger { ... } subsection not found, triggers will be disabled
Debug : #### Instantiating libraries ####
Debug : #### Bootstrapping process modules ####
Debug : Bootstrapping process_radius "default"
Debug : Creating Auth-Type = TACACS
Debug : Creating Auth-Type = Jradius
Debug : #### Bootstrapping protocol modules ####
Debug : #### Instantiating libraries ####
Debug : #### Bootstrapping static modules ####
Debug :  modules {
Debug :     static {
Debug : Loaded module rlm_tacacs
Debug :     tacacs {
Debug :       transport = tcp
Debug : Loaded module rlm_tacacs_tcp
Debug :       tcp {
Debug :         ipaddr = 10.76.89.50
Debug :         port = 49
Debug :         secret = testkey123
Debug :         max_packet_size = 4096
Debug :         max_send_coalesce = 1024
Debug :       }
Debug :       type = Authentication-Start
Debug :       type = Authentication-Continue
Debug :       type = Authentication-Error
Debug :       type = Authentication-Fail
Debug :       max_attributes = 255
Debug :       response_window = 20
Debug :       zombie_period = 40
Debug :       pool {
Debug :         start = 1
Debug :         min = 1
Debug :         max = 1
Debug :         connecting = 2
Debug :         uses = 0
Debug :         lifetime = 0
Debug :         idle_timeout = 0
Debug :         open_delay = 0.2
Debug :         close_delay = 10.0
Debug :         manage_interval = 0.2
Debug :         max_backlog = 1000
Debug :         connection {
Debug :           connect_timeout = 3.0
Debug :           reconnect_delay = 1
Debug :         }
Debug :         request {
Debug :           per_connection_max = 2000
Debug :           per_connection_target = 1000
Debug :           free_delay = 10.0
Debug :         }
Debug :       }
Debug :       retry {
Debug :         initial_rtx_time = 2
Debug :         max_rtx_time = 16
Debug :         max_rtx_count = 5
Debug :         max_rtx_duration = 30
Debug :       }
Debug :     }
Debug :     } # static
Debug : #### Bootstrapping rlm modules ####
Debug : Including dictionary file "/etc/opt/LU3Pfreeradius-server/dictionary"
Debug : #### Instantiating listeners ####
Debug : Compiling policies in server default { ... }
Debug : Compiling policies in - recv Access-Request {...}
Debug : Compiling policies in - recv Status-Server {...}
Debug : Compiling policies in - authenticate TACACS {...}
Debug : Compiling policies in - authenticate Jradius {...}
Warn  : radius  { ... } section is unused
Debug : #### Instantiating process modules ####
Debug : Instantiating process_radius "default"
Debug : #### Instantiating protocol modules ####
Debug : Instantiating proto_radius "default.radius.udp"
Debug : Instantiating proto_radius_udp "default.radius.udp.udp"
Debug : #### Instantiating rlm modules ####
Debug : Instantiating rlm_tacacs "tacacs"
Warn  : Ignoring "trunk.per_connection_max = 2000", forcing to "trunk.per_connection_max = 255"
Warn  : Ignoring "trunk.per_connection_target = 1000", forcing to "trunk.per_connection_target = 127"
Warn  : Ignoring "revive_interval = 0", forcing to "revive_interval = 10"
Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp"
Debug : tacacs - [0] Starting initial connection
Debug : tacacs - [1] - Signalled to start from HALTED state
Debug : tacacs - [1] - Connection changed state HALTED -> INIT
Debug : tacacs - [1] Trunk connection changed state HALTED -> INIT
Debug : tacacs - [1] - Connection changed state INIT -> CONNECTING
Info  : tacacs - [1] Trunk connection changed state INIT -> CONNECTING
Debug : Scheduler created in single-threaded mode
Debug : #### Opening listener interfaces ####
Debug : Listening on radius_udp server 169.254.195.0 port 1812 bound to virtual server default
Info  : post-suid-down capabilities: =ep
Info  : Ready to process requests
Debug : tacacs - [1] - Connection changed state CONNECTING -> CONNECTED
Debug : tacacs - [1] - Connection established
Debug : tacacs - [1] Trunk connection changed state CONNECTING -> ACTIVE

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

The text was updated successfully, but these errors were encountered:

alandekok · 2025-04-29T19:15:20Z

Yeah, it needs to be updated to look for success / failure, and then return the appropriate module code.

Bryanjss added the defect category: a defect or misbehaviour label Apr 29, 2025

alandekok added the v4.0.x meta: relates to the v4.0.x branch label Apr 29, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[defect]: tacacs module always return ok even auth failure #5567

[defect]: tacacs module always return ok even auth failure #5567

Bryanjss commented Apr 29, 2025

alandekok commented Apr 29, 2025

Uh oh!

[defect]: tacacs module always return ok even auth failure #5567

[defect]: tacacs module always return ok even auth failure #5567

Comments

Bryanjss commented Apr 29, 2025

What type of defect/bug is this?

How can the issue be reproduced?

modules {

}

Log output from the FreeRADIUS daemon

Relevant log output from client utilities

Backtrace from LLDB or GDB

alandekok commented Apr 29, 2025

Uh oh!