[defect]: tacacs module always return ok even auth failure #5567
Description
What type of defect/bug is this?
Unexpected behaviour (obvious or verified by project member)
How can the issue be reproduced?
Hi Experts,
Recently I am testing the FreeRadius 4.0 with rlm_tacacs module, I use open source tac_plus server, from my test, even the remote tac_plus server report auth fail, the tacacs module always return ok, which lead my rlm_radius module Auth-Type has wrong value, so even the auth failure, I can login to my server with FreeRadius 4.0
the virtual server config:
server default {
namespace = radius
listen {
type = Access-Request
type = Status-Server
transport = udp
udp {
ipaddr = 169.254.195.0
port = 1812
}
}
authenticate TACACS {
subrequest @tacacs::Authentication-Start {
User-Name := parent.request.User-Name
Data := parent.request.User-Password
Packet.Version-Major := 0xC # or "Plus" if using VALUE mapping
Packet.Version-Minor := 0x1
Packet.Packet-Type := "Authentication"
Packet.Sequence-Number := 1
Packet.Flags := "None"
Packet.Session-Id := parent.request.Acct-Session-Id
Packet.Length := 0
Authentication-Type := "PAP"
Action := "Login"
Authentication-Service := "Login"
# below module always return ok, so the caller part always think it is auth success
tacacs
#Add below part to workaround, but not help to set parent's Auth-Type
if (reply.Authentication-Status == "Pass") {
parent.control.Auth-Type := ::Accept
}else{
parent.control.Auth-Type := ::Reject
}
}
}
recv Access-Request {
if (User-Name =~ /^testuser1$/) {
control.Auth-Type := ::TACACS
}
}
recv Status-Server {
}
}
the tacacs module config:
modules {
tacacs {
transport = tcp
type = Authentication-Start
type = Authentication-Continue
type = Authentication-Error
type = Authentication-Fail
tcp {
ipaddr = 10.76.89.50
port = 49
secret = testkey123
}
pool {
start = 1
min = 1
max = 1
}
}
}
logs with auth failure:
Debug : (0) Running 'authenticate TACACS' from file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config
Debug : (0) authenticate TACACS {
Debug : (0) subrequest @TaCaCs::Authentication-Start {
Debug : (0.0) User-Name := "testuser1"
Debug : (0.0) Data := "newsys"
Debug : (0.0) Packet.Version-Major := 12
Debug : (0.0) Packet.Version-Minor := 1
Debug : (0.0) Packet.Packet-Type := Authentication
Debug : (0.0) Packet.Sequence-Number := 1
Debug : (0.0) Packet.Flags := None
Debug : (0.0) Packet.Length := 0
Debug : (0.0) Authentication-Type := PAP
Debug : (0.0) Action := LOGIN
Debug : (0.0) Authentication-Service := LOGIN
Debug : (0.0) tacacs - tacacs - [1] Trunk connection assigned request 1
Debug : (0.0) tacacs - Sending Authentication-Start ID 1 length 0 over connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49
Debug : (0.0) tacacs - Packet-Type = Authentication-Start
Debug : (0.0) tacacs - User-Name = "testuser1"
Debug : (0.0) tacacs - Data = 0x6e6577737973
Debug : (0.0) tacacs - Packet {
Debug : (0.0) tacacs - Version-Major = Plus
Debug : (0.0) tacacs - Version-Minor = 1
Debug : (0.0) tacacs - Packet-Type = Authentication
Debug : (0.0) tacacs - Sequence-Number = 1
Debug : (0.0) tacacs - Flags = None
Debug : (0.0) tacacs - Session-Id = 2509117284
Debug : (0.0) tacacs - Length = 0
Debug : (0.0) tacacs - }
Debug : (0.0) tacacs - Authentication-Type = PAP
Debug : (0.0) tacacs - Action = LOGIN
Debug : (0.0) tacacs - Authentication-Service = LOGIN
Debug : (0.0) tacacs - Received Authentication-Fail ID 3 length 18 reply packet on connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49
Debug : (0.0) tacacs - Packet {
Debug : (0.0) tacacs - Version-Major = Plus
Debug : (0.0) tacacs - Version-Minor = 1
Debug : (0.0) tacacs - Packet-Type = Authentication
Debug : (0.0) tacacs - Sequence-Number = 2
Debug : (0.0) tacacs - Flags = None
Debug : (0.0) tacacs - Session-Id = 2509117284
Debug : (0.0) tacacs - Length = 6
Debug : (0.0) tacacs - }
Debug : (0.0) tacacs - Packet-Body-Type = Reply
Debug : (0.0) tacacs - Authentication-Status = Fail
Debug : (0.0) tacacs - Authentication-Flags = 0
Debug : (0.0) tacacs - Server-Message = ""
Debug : (0.0) tacacs - Data = 0x
Error : tacacs - Connection proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49 failed: No additional error information
Debug : tacacs - [1] - Signalled to reconnect from CONNECTED state
Debug : tacacs - [1] - Connection changed state CONNECTED -> FAILED
Debug : tacacs - [1] - Connection changed state FAILED -> CLOSED
Info : tacacs - [1] Trunk connection changed state ACTIVE -> CLOSED
Debug : tacacs - Connection closed - proto tcp local 0.0.0.0 port 0 remote 10.76.89.50 port 49
Debug : tacacs - [1] - Delaying reconnection by 1s
Debug : (0.0) tacacs - tacacs - Resuming execution
Debug : (0.0) tacacs (ok)
Debug : (0.0) if (reply.Authentication-Status == "Pass") {
Debug : (0.0) | ==
Debug : (0.0) | reply.Authentication-Status
Debug : (0.0) | %{reply.Authentication-Status}
Debug : (0.0) | --> Fail
Debug : (0.0) | %cmp_eq({Fail}{Pass})
Debug : (0.0) | --> false
Debug : (0.0) ...
Debug : (0.0) }
Debug : (0.0) else {
Debug : (0.0) parent.control.Auth-Type := Reject
Debug : (0.0) } # else (noop)
Debug : (0) subrequest @TaCaCs::Authentication-Start - Resuming execution
Debug : (0) } # subrequest @TaCaCs::Authentication-Start (ok)
Debug : (0) } # authenticate TACACS (ok)
Debug : (0) default (ok)
Debug : (0) } # default (ok)
Debug : (0) Done request
Debug : (0) Sending Access-Accept ID 109 from 0.0.0.0/0:1812 to 169.254.131.1:58539 length 38 via socket radius_udp server 169.254.195.0 port 1812
Debug : (0) Packet-Type = Access-Accept
Debug : (0) Finished request
Log output from the FreeRADIUS daemon
Info : Copyright 1999-2024 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named COPYRIGHT
Info : Starting - reading configuration files ...
including configuration file /etc/opt/LU3Pfreeradius-server/radiusd.conf
including configuration file /etc/opt/LU3Pfreeradius-server/clients.conf
Including files in directory "/etc/opt/LU3Pfreeradius-server/modules/"
including configuration file /etc/opt/LU3Pfreeradius-server/modules/tacacs
including configuration file /etc/opt/LU3Pfreeradius-server/sites-cpm/cpm_radius_config
Loaded module process_radius
Parsing initial logging configuration.
main {
prefix = /opt/LU3P
log {
destination = files
syslog_facility = daemon
local_state_dir = "/opt/LU3P/var"
logdir = "/opt/LU3P/var/log"
file = /var/opt/log/freeradius-server/radius.log
suppress_secrets = no
}
}
Parsing security rules to bootstrap UID / GID / chroot / etc.
main {
log {
}
security {
allow_core_dumps = no
allow_vulnerable_openssl = "no"
}
name = radiusd
local_state_dir = "/opt/LU3P/var"
run_dir = /var/opt/run
}
Parsing main configuration
main {
server default {
namespace = radius
radius {
Access-Request {
session {
timeout = 15
max = 4096
}
}
}
Loaded module proto_radius
listen {
type = Access-Request
type = Status-Server
transport = udp
Loaded module proto_radius_udp
udp {
ipaddr = 169.254.195.0
port = 1812
networks {
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 30.0
nak_lifetime = 30.0
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
log {
ignored_clients = yes
}
require_message_authenticator = no
limit_proxy_state = auto
}
}
log {
}
security {
}
sbin_dir = "/opt/LU3P/sbin"
logdir = /var/opt/log/freeradius-server
radacctdir = /var/opt/log/freeradius-server/radacct
reverse_lookups = no
hostname_lookups = no
max_request_time = 30
pidfile = /var/opt/run/radiusd.pid
debug_level = 0
max_requests = 1024
resources {
}
thread pool {
num_networks = 1
Dynamically determined thread.workers = 2
num_workers = 2
}
migrate {
}
}
Info : Switching to configured log settings
Debug : radiusd: #### Loading Clients ####
Debug : client 127.0.0.1 {
Debug : ipaddr = 127.0.0.1
Debug : secret = <<< secret >>>
Debug : shortname = sig03-oam-b
Debug : require_message_authenticator = no
Debug : limit_proxy_state = auto
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30s
Debug : }
Debug : }
Debug : client 169.254.64.0/20 {
Debug : ipaddr = 169.254.64.0/20
Debug : secret = <<< secret >>>
Debug : shortname = sig03-oam-b
Debug : require_message_authenticator = no
Debug : limit_proxy_state = auto
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30s
Debug : }
Debug : }
Debug : client 169.254.128.0/17 {
Debug : ipaddr = 169.254.128.0/17
Debug : secret = <<< secret >>>
Debug : shortname = sig03-oam-b
Debug : require_message_authenticator = no
Debug : limit_proxy_state = auto
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30s
Debug : }
Debug : }
Info : Debugger not attached
Info : Configuration version: F7ADA142-02BA-4A1B-A34E-6A9CBB864A61
Info : systemd watchdog is disabled
Info : pre-suid-down capabilities: =ep
Warn : trigger { ... } subsection not found, triggers will be disabled
Debug : #### Instantiating libraries ####
Debug : #### Bootstrapping process modules ####
Debug : Bootstrapping process_radius "default"
Debug : Creating Auth-Type = TACACS
Debug : Creating Auth-Type = Jradius
Debug : #### Bootstrapping protocol modules ####
Debug : #### Instantiating libraries ####
Debug : #### Bootstrapping static modules ####
Debug : modules {
Debug : static {
Debug : Loaded module rlm_tacacs
Debug : tacacs {
Debug : transport = tcp
Debug : Loaded module rlm_tacacs_tcp
Debug : tcp {
Debug : ipaddr = 10.76.89.50
Debug : port = 49
Debug : secret = testkey123
Debug : max_packet_size = 4096
Debug : max_send_coalesce = 1024
Debug : }
Debug : type = Authentication-Start
Debug : type = Authentication-Continue
Debug : type = Authentication-Error
Debug : type = Authentication-Fail
Debug : max_attributes = 255
Debug : response_window = 20
Debug : zombie_period = 40
Debug : pool {
Debug : start = 1
Debug : min = 1
Debug : max = 1
Debug : connecting = 2
Debug : uses = 0
Debug : lifetime = 0
Debug : idle_timeout = 0
Debug : open_delay = 0.2
Debug : close_delay = 10.0
Debug : manage_interval = 0.2
Debug : max_backlog = 1000
Debug : connection {
Debug : connect_timeout = 3.0
Debug : reconnect_delay = 1
Debug : }
Debug : request {
Debug : per_connection_max = 2000
Debug : per_connection_target = 1000
Debug : free_delay = 10.0
Debug : }
Debug : }
Debug : retry {
Debug : initial_rtx_time = 2
Debug : max_rtx_time = 16
Debug : max_rtx_count = 5
Debug : max_rtx_duration = 30
Debug : }
Debug : }
Debug : } # static
Debug : #### Bootstrapping rlm modules ####
Debug : Including dictionary file "/etc/opt/LU3Pfreeradius-server/dictionary"
Debug : #### Instantiating listeners ####
Debug : Compiling policies in server default { ... }
Debug : Compiling policies in - recv Access-Request {...}
Debug : Compiling policies in - recv Status-Server {...}
Debug : Compiling policies in - authenticate TACACS {...}
Debug : Compiling policies in - authenticate Jradius {...}
Warn : radius { ... } section is unused
Debug : #### Instantiating process modules ####
Debug : Instantiating process_radius "default"
Debug : #### Instantiating protocol modules ####
Debug : Instantiating proto_radius "default.radius.udp"
Debug : Instantiating proto_radius_udp "default.radius.udp.udp"
Debug : #### Instantiating rlm modules ####
Debug : Instantiating rlm_tacacs "tacacs"
Warn : Ignoring "trunk.per_connection_max = 2000", forcing to "trunk.per_connection_max = 255"
Warn : Ignoring "trunk.per_connection_target = 1000", forcing to "trunk.per_connection_target = 127"
Warn : Ignoring "revive_interval = 0", forcing to "revive_interval = 10"
Debug : Instantiating rlm_tacacs_tcp "tacacs.tcp"
Debug : tacacs - [0] Starting initial connection
Debug : tacacs - [1] - Signalled to start from HALTED state
Debug : tacacs - [1] - Connection changed state HALTED -> INIT
Debug : tacacs - [1] Trunk connection changed state HALTED -> INIT
Debug : tacacs - [1] - Connection changed state INIT -> CONNECTING
Info : tacacs - [1] Trunk connection changed state INIT -> CONNECTING
Debug : Scheduler created in single-threaded mode
Debug : #### Opening listener interfaces ####
Debug : Listening on radius_udp server 169.254.195.0 port 1812 bound to virtual server default
Info : post-suid-down capabilities: =ep
Info : Ready to process requests
Debug : tacacs - [1] - Connection changed state CONNECTING -> CONNECTED
Debug : tacacs - [1] - Connection established
Debug : tacacs - [1] Trunk connection changed state CONNECTING -> ACTIVERelevant log output from client utilities
No response