hi Andreas
> where does this help me ? If I understood you correctly here, the
> only improvemnt would apply to the athentication attempt, which would
> later on fail for sql-query reasons. Since the reject-action would be
> determined very early in the process, we'd avoid the 3-4
> Request/challenge exchanges plus the corresponding TLS overhead. For
> everything (which I hope is the majority anyhow) we'd still need to
> do the costly db-queries 4-5 times. Or am I on the wrong road
> completely ?
well, i don't know why you need 4-5 queries but supposing you need them, why would you need less later on? where is the difference whether you do the db query before or later, that's what i don't catch. and the increase of the counter, what you want to do in case of success is a completely different task (complementary if you want, but contradictory in the sense that you can not combine the db-queries anyway).
do you misunderstand you?
> that is exactly what I tried to do. For testing reasons, I extended
> the experimental perl-module with a post-auth function and
> implemented a post-auth perl-function, which
> printed/logged/investigated the Attribute/Value pairs. Firstly, the
> post-auth function is not only called when the TLS exchange is
> completed (which I perhaps naively thought) but is called for each
> received request and secondly, investigating the AVPs did not
> deliver any hint to determine when to do the action.
of course, the post-auth is called every time the auth is called, too. but you have access to the message, don't you? radius knows if the message will be accept or challenge or reject so your module should know too. however, you need a piece of advice by a developer for the exact procedure. my developer probably knows that (well, that's what i hope :)) but he is absent right now.
> Very simplified, what I'm trying to do is to increment a counter for
> the user in case he's authenticated successfully and I want do do it
> more elegantly than by permanently reading the radiusd logfile and
> search for the corresponding message.
a savage guess: there is a counter module too somewhere. what does that do?
> You might be right (and I hope you are). Because I'm not recognising
> the wood, because there are so many trees (sorry, german saying,
> roughly translated)
yes, ich dagegen sehe den wald, habe aber keine ahnung, wie die baeume heissen.
> I hope I did not leave the impression anywhere, that what I though
> out would be the only way to go. I'll happily look into every variant
> to achive my goal.
why don't you ask for exact procedures on the developer list or one of the guys directly? but rephrase your question in a less conceptional one. e.g. the counter thing sounds very comprehensible.
ciao
artur
--
Artur Hecker
D�partement Informatique et R�seaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- Action to perform when EAP/TLS has finished successfully Andreas Trilling
- Authenticate users in a LAN of windows machines Amiri
- Re: Action to perform when EAP/TLS has finished succ... Artur Hecker
- RE: Action to perform when EAP/TLS has finished ... Andreas Trilling
- Re: Action to perform when EAP/TLS has finis... Artur Hecker
- RE: Action to perform when EAP/TLS has f... Andreas Trilling
- Realm selection Artur Hecker
- Realm selection Josh Howlett
- Re: Realm selection Chris Brotsos
- RE: Action to perform when EAP/... Andreas Trilling
- Re: Action to perform when ... Artur Hecker
