RE: Action to perform when EAP/TLS has finished successfully

Mon, 27 Jan 2003 05:31:04 -0800 

Hi Artur,

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Artur
> Hecker
> Sent: Monday, January 27, 2003 12:28 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Action to perform when EAP/TLS has finished successfully
> 
> 
> 
> hi Andreas
> 
> 
>  > where does this help me ? If I understood you correctly here, the
>  > only improvemnt would apply to the athentication attempt, which would
>  > later on fail for sql-query reasons. Since the reject-action would be
>  > determined very early in the process, we'd avoid the 3-4
>  > Request/challenge exchanges plus the corresponding TLS overhead. For
>  > everything (which I hope is the majority anyhow) we'd still need to
>  > do the costly db-queries 4-5 times. Or am I on the wrong road
>  > completely ?
> 
> well, i don't know why you need 4-5 queries but supposing you need them, 
> why would you need less later on? where is the difference whether you do 
> the db query before or later, that's what i don't catch. and the 
> increase of the counter, what you want to do in case of success is a 
> completely different task (complementary if you want, but contradictory 
> in the sense that you can not combine the db-queries anyway).
> 
> do you misunderstand you?

I think yes.

From the RADIUS packet perpsective, EAP/TLS does not simply mean *one* Access-Request 
and *one* ACCESS-ACCEPT per authentication attempt. Furthermore Radius-Packets 
(requests, challenges) are used to tranport the TLS PDUs, which are exchanged between 
the RADIUS and the supplicant and it is my observation, that 4-5 Radius access 
requests and a correpsonding number of challenges are needed in order to complete a 
TLS authentication. This exactly causes my problem, since I don't want to to my 
additional stuff fore each of these requests, but only once.

> 
> 
>  > that is exactly what I tried to do. For testing reasons, I extended
>  > the experimental perl-module with a post-auth function and
>  > implemented a post-auth perl-function, which
>  > printed/logged/investigated the Attribute/Value pairs. Firstly, the
>  > post-auth function is not only called when the TLS exchange is
>  > completed (which I perhaps naively thought) but is called for each
>  > received request and secondly, investigating the AVPs  did not
>  > deliver any hint to determine when to do the action.
> 
> of course, the post-auth is called every time the auth is called, too. 
> but you have access to the message, don't you? radius knows if the 

I've access to attribute split in check and reply items. Since these are presented in 
a hash, I only see the last instance of e.g. the TLS messages, in case this attribute 
appears more than once. I've hacket in a workaround for that, but having acccess to 
the TLS message does not really help me further, since so far as I understood it, I'd 
need to follow a whole conversation on TLS level, since the part I'm interested in is 
already encrypted and this sound rather complicated to me.

> message will be accept or challenge or reject so your module should know 
> too. however, you need a piece of advice by a developer for the exact 
> procedure. my developer probably knows that (well, that's what i hope 
> :)) but he is absent right now.

Bad luck .....

> 
> 
>  > Very simplified, what I'm trying to do is to increment a counter for
>  > the user in case he's authenticated successfully and I want do do it
>  > more elegantly than by permanently reading the radiusd logfile and
>  > search for the corresponding message.
> 
> a savage guess: there is a counter module too somewhere. what 
> does that do?

This would have exactly the same problem: it is also called everytime are request is 
received.
> 
> 
>  > You might be right (and I hope you are). Because I'm not recognising
>  > the wood, because there are so many trees (sorry, german saying,
>  > roughly translated)
> 
> yes, ich dagegen sehe den wald, habe aber keine ahnung, wie die baeume 
> heissen.
> 
> 
>  > I hope I did not leave the impression anywhere, that what I though
>  > out would be the only way to go. I'll happily look into every variant
>  > to achive my goal.
> 
> why don't you ask for exact procedures on the developer list or one of 
> the guys directly? but rephrase your question in a less conceptional 
> one. e.g. the counter thing sounds very comprehensible.

Thanks for that advise

Andreas

> 
> 
> ciao
> artur
> 
> 
> -- 
> Artur Hecker
> D�partement Informatique et R�seaux, ENST Paris
> http://www.infres.enst.fr/~hecker
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> .+-�w��˛���m��˛���m�zm�����y��v+���?�+-����m�

Reply via email to