subject:"Can't seem to use configurable failover for an expired account"

Re: Can't seem to use configurable failover for an expired account

2004-07-14 Thread Kostas Kalevras

On Tue, 13 Jul 2004, Roy, Daniel wrote:

 Hi all,

 This is a rather detailed question, since it relates to the source code of 
 freeRADIUS, but I'm trolling to see if anyone has come across this or what a 
 freeRADIUS expert might suggest as a solution.

 Configurable failover in working for me in the authorize section.  Also, I've built 
 an authenticate section in rlm_files so that now configurable failover is working in 
 the authenticate section (for MS-CHAP in my case).  In both cases I'm proxying to 
 another realm as the failover.

 Now my problem: Somewhere between authorize and MS-CHAP authenticate, I need to 
 configure failover if an account is expired, since account expiration doesn't seem 
 to be part of the authorize section.

 Code details:
 In src/main/auth.c:rad_authenticate, it loops over the registered and configured 
 modules with an authorize section, then it checks to see if it needs to proxy, then 
 it performs the authentication.  Authentication starts by checking the account 
 expiration followed by checking the password, and so on.  Checking the password 
 (rad_check_password) includes calling the appropriate module_authenticate.  So 
 checking account expiration is stuck in a no mans land between authorization and 
 authentication.  Is there a way for me to include expiration as a rejection of 
 authentication in configurable failover or do I need to hack the source code ?

 Around line 550 of src/main/auth.c in rad_authenticate:
   /*
*  Validate the user
*/
   do {
   if ((result = check_expiration(request))  0)
   break;
   ...

 Around line 710 of src/main/auth.c in rad_authenticate:
   /*
*  Result should be = 0 here - if not, we return.
*/
   if (result  0) {
   return RLM_MODULE_OK;
   }

 Note: check_expiration returns -1 if the account has expired.

 Thanks in advance,
 Daniel

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Expiration handling should probably be moved to a separate module. I 've opened
bug#105 for that.



--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Can't seem to use configurable failover for an expired account

2004-07-14 Thread Roy, Daniel

I guess in describing the problem, I answered it myself - how often that happens.

I now call the rad_check_password method from rlm_sql's authorize, and now 
configurable failover works on an expired account; something the freeRADIUS 
maintainers might want to consider.

Cheers,
Daniel

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Roy,
Daniel
Sent: Tuesday, July 13, 2004 4:08 PM
To: [EMAIL PROTECTED]
Subject: Can't seem to use configurable failover for an expired account


Hi all,

This is a rather detailed question, since it relates to the source code of freeRADIUS, 
but I'm trolling to see if anyone has come across this or what a freeRADIUS expert 
might suggest as a solution.

Configurable failover in working for me in the authorize section.  Also, I've built an 
authenticate section in rlm_files so that now configurable failover is working in the 
authenticate section (for MS-CHAP in my case).  In both cases I'm proxying to another 
realm as the failover.

Now my problem: Somewhere between authorize and MS-CHAP authenticate, I need to 
configure failover if an account is expired, since account expiration doesn't seem to 
be part of the authorize section.

Code details:
In src/main/auth.c:rad_authenticate, it loops over the registered and configured 
modules with an authorize section, then it checks to see if it needs to proxy, then it 
performs the authentication.  Authentication starts by checking the account expiration 
followed by checking the password, and so on.  Checking the password 
(rad_check_password) includes calling the appropriate module_authenticate.  So 
checking account expiration is stuck in a no mans land between authorization and 
authentication.  Is there a way for me to include expiration as a rejection of 
authentication in configurable failover or do I need to hack the source code ?

Around line 550 of src/main/auth.c in rad_authenticate:
/*
 *  Validate the user
 */
do {
if ((result = check_expiration(request))  0)
break;
...

Around line 710 of src/main/auth.c in rad_authenticate:
/*
 *  Result should be = 0 here - if not, we return.
 */
if (result  0) {
return RLM_MODULE_OK;
}

Note: check_expiration returns -1 if the account has expired.

Thanks in advance,
Daniel


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't seem to use configurable failover for an expired account

2004-07-14 Thread Alan DeKok

Roy, Daniel [EMAIL PROTECTED] wrote:
 I now call the rad_check_password method from rlm_sql's authorize, and
 now configurable failover works on an expired account; something the
 freeRADIUS maintainers might want to consider.

  That change won't be added to the server.  The rad_check_password
function should be called once, and only once, and only from the
server core.

  If modules call it, then strange things can happen, and you can do
things like call EAP twice for the same packet.

  It's MUCH better to move the expiration checks into a module, as
Kostas said.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Can't seem to use configurable failover for an expired account

2004-07-13 Thread Roy, Daniel

Hi all,

This is a rather detailed question, since it relates to the source code of freeRADIUS, 
but I'm trolling to see if anyone has come across this or what a freeRADIUS expert 
might suggest as a solution.

Configurable failover in working for me in the authorize section.  Also, I've built an 
authenticate section in rlm_files so that now configurable failover is working in the 
authenticate section (for MS-CHAP in my case).  In both cases I'm proxying to another 
realm as the failover.

Now my problem: Somewhere between authorize and MS-CHAP authenticate, I need to 
configure failover if an account is expired, since account expiration doesn't seem to 
be part of the authorize section.

Code details:
In src/main/auth.c:rad_authenticate, it loops over the registered and configured 
modules with an authorize section, then it checks to see if it needs to proxy, then it 
performs the authentication.  Authentication starts by checking the account expiration 
followed by checking the password, and so on.  Checking the password 
(rad_check_password) includes calling the appropriate module_authenticate.  So 
checking account expiration is stuck in a no mans land between authorization and 
authentication.  Is there a way for me to include expiration as a rejection of 
authentication in configurable failover or do I need to hack the source code ?

Around line 550 of src/main/auth.c in rad_authenticate:
/*
 *  Validate the user
 */
do {
if ((result = check_expiration(request))  0)
break;
...

Around line 710 of src/main/auth.c in rad_authenticate:
/*
 *  Result should be = 0 here - if not, we return.
 */
if (result  0) {
return RLM_MODULE_OK;
}

Note: check_expiration returns -1 if the account has expired.

Thanks in advance,
Daniel

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't seem to use configurable failover for an expired account

RE: Can't seem to use configurable failover for an expired account

Re: Can't seem to use configurable failover for an expired account

Can't seem to use configurable failover for an expired account

4 matches

Site Navigation

Mail list logo

Footer information