Re: Can't seem to use configurable failover for an expired account
On Tue, 13 Jul 2004, Roy, Daniel wrote: Hi all, This is a rather detailed question, since it relates to the source code of freeRADIUS, but I'm trolling to see if anyone has come across this or what a freeRADIUS expert might suggest as a solution. Configurable failover in working for me in the authorize section. Also, I've built an authenticate section in rlm_files so that now configurable failover is working in the authenticate section (for MS-CHAP in my case). In both cases I'm proxying to another realm as the failover. Now my problem: Somewhere between authorize and MS-CHAP authenticate, I need to configure failover if an account is expired, since account expiration doesn't seem to be part of the authorize section. Code details: In src/main/auth.c:rad_authenticate, it loops over the registered and configured modules with an authorize section, then it checks to see if it needs to proxy, then it performs the authentication. Authentication starts by checking the account expiration followed by checking the password, and so on. Checking the password (rad_check_password) includes calling the appropriate module_authenticate. So checking account expiration is stuck in a no mans land between authorization and authentication. Is there a way for me to include expiration as a rejection of authentication in configurable failover or do I need to hack the source code ? Around line 550 of src/main/auth.c in rad_authenticate: /* * Validate the user */ do { if ((result = check_expiration(request)) 0) break; ... Around line 710 of src/main/auth.c in rad_authenticate: /* * Result should be = 0 here - if not, we return. */ if (result 0) { return RLM_MODULE_OK; } Note: check_expiration returns -1 if the account has expired. Thanks in advance, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Expiration handling should probably be moved to a separate module. I 've opened bug#105 for that. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't seem to use configurable failover for an expired account
I guess in describing the problem, I answered it myself - how often that happens. I now call the rad_check_password method from rlm_sql's authorize, and now configurable failover works on an expired account; something the freeRADIUS maintainers might want to consider. Cheers, Daniel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roy, Daniel Sent: Tuesday, July 13, 2004 4:08 PM To: [EMAIL PROTECTED] Subject: Can't seem to use configurable failover for an expired account Hi all, This is a rather detailed question, since it relates to the source code of freeRADIUS, but I'm trolling to see if anyone has come across this or what a freeRADIUS expert might suggest as a solution. Configurable failover in working for me in the authorize section. Also, I've built an authenticate section in rlm_files so that now configurable failover is working in the authenticate section (for MS-CHAP in my case). In both cases I'm proxying to another realm as the failover. Now my problem: Somewhere between authorize and MS-CHAP authenticate, I need to configure failover if an account is expired, since account expiration doesn't seem to be part of the authorize section. Code details: In src/main/auth.c:rad_authenticate, it loops over the registered and configured modules with an authorize section, then it checks to see if it needs to proxy, then it performs the authentication. Authentication starts by checking the account expiration followed by checking the password, and so on. Checking the password (rad_check_password) includes calling the appropriate module_authenticate. So checking account expiration is stuck in a no mans land between authorization and authentication. Is there a way for me to include expiration as a rejection of authentication in configurable failover or do I need to hack the source code ? Around line 550 of src/main/auth.c in rad_authenticate: /* * Validate the user */ do { if ((result = check_expiration(request)) 0) break; ... Around line 710 of src/main/auth.c in rad_authenticate: /* * Result should be = 0 here - if not, we return. */ if (result 0) { return RLM_MODULE_OK; } Note: check_expiration returns -1 if the account has expired. Thanks in advance, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't seem to use configurable failover for an expired account
Roy, Daniel [EMAIL PROTECTED] wrote: I now call the rad_check_password method from rlm_sql's authorize, and now configurable failover works on an expired account; something the freeRADIUS maintainers might want to consider. That change won't be added to the server. The rad_check_password function should be called once, and only once, and only from the server core. If modules call it, then strange things can happen, and you can do things like call EAP twice for the same packet. It's MUCH better to move the expiration checks into a module, as Kostas said. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't seem to use configurable failover for an expired account
Hi all, This is a rather detailed question, since it relates to the source code of freeRADIUS, but I'm trolling to see if anyone has come across this or what a freeRADIUS expert might suggest as a solution. Configurable failover in working for me in the authorize section. Also, I've built an authenticate section in rlm_files so that now configurable failover is working in the authenticate section (for MS-CHAP in my case). In both cases I'm proxying to another realm as the failover. Now my problem: Somewhere between authorize and MS-CHAP authenticate, I need to configure failover if an account is expired, since account expiration doesn't seem to be part of the authorize section. Code details: In src/main/auth.c:rad_authenticate, it loops over the registered and configured modules with an authorize section, then it checks to see if it needs to proxy, then it performs the authentication. Authentication starts by checking the account expiration followed by checking the password, and so on. Checking the password (rad_check_password) includes calling the appropriate module_authenticate. So checking account expiration is stuck in a no mans land between authorization and authentication. Is there a way for me to include expiration as a rejection of authentication in configurable failover or do I need to hack the source code ? Around line 550 of src/main/auth.c in rad_authenticate: /* * Validate the user */ do { if ((result = check_expiration(request)) 0) break; ... Around line 710 of src/main/auth.c in rad_authenticate: /* * Result should be = 0 here - if not, we return. */ if (result 0) { return RLM_MODULE_OK; } Note: check_expiration returns -1 if the account has expired. Thanks in advance, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html