Post-auth and Rejected logins
Hi,
Hope the following makes sense.
I have a perl module that runs in post-auth.
It checks various things that confirms whether the user may have access and,
if not, would turn an Accept into a Reject.
I want this perl module to run whether the authentication previously failed
or not.
I'm using the documented method of the following:
post-auth {
my_perl
Post-Auth-Type REJECT {
my_perl
}
}
The problem comes in here.
If authentication failed, the module runs once only (in the Post-Auth-Type
REJECT stanza)
If authentication was OK, and my perl module also OK's the request, it runs
once only (in the non Post-Auth_type REJECT stanza).
But
If the auhtentication as OK, and my perl module then decides to reject the
Authentication (by returning RLM_MODULE_REJECT), the perl module runs twice.
I've tried swopping around the post-auth section as follows:
post-auth {
Post-Auth-Type REJECT {
my_perl
}
my_perl
}
The REJECT stanza is still executed if the non-REJECT stanza turns the
accept into a reject.
The only solution I can come up with is to set a Tmp-String, and using
unlang try to force the perl to not run again.
Does anyone know of a more elegant way?
Thanks!
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:
http://www.pcservices.co.za/disclaimer.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-auth and Rejected logins
Johan Meiring wrote: If the auhtentication as OK, and my perl module then decides to reject the Authentication (by returning RLM_MODULE_REJECT), Don't do that. The post-auth section is for running modules AFTER the user has been accepted or rejected. It doesn't make much sense to accept the user, and then reject them. Instead, reject the user earlier in the packet processing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-auth and Rejected logins
On 2011/09/26 11:38 PM, Alan DeKok wrote:
Johan Meiring wrote:
If the auhtentication as OK, and my perl module then decides to reject
the Authentication (by returning RLM_MODULE_REJECT),
Don't do that.
The post-auth section is for running modules AFTER the user has been
accepted or rejected. It doesn't make much sense to accept the user,
and then reject them.
Instead, reject the user earlier in the packet processing.
Hi Alan,
What you say makes sense.
My perl code used to run in the Authorisation section.
The reason I moved it down (to post auth), is because some of my queries
are very database intensive (complex system).
i.e.
What I had was:
1) Authorisation (using rlm_perl):
Check various stuff
If OK so far, create Cleartext-Password, else reject
2) Authentication, PAP/CHAP/whatever
What I tried to avoid was that the check various stuff runs if the user
supplied the wrong password.
I therefore modified the setup as follows:
1) Authorisation - Create Cleartext-Password (using rlm_mysql)
2) Authentication - PAP/CHAP/whatever
3) Post-Auth - Check the various stuff and reject (using rlm_perl)
This saves a lot of unnecesary (database) CPU cycles.
Using a Tmp-String works.
My post-auth now looks as follows:
post-auth {
my_perl
Post-Auth-Type REJECT {
if (%{reply:Tmp-String-0} != DONTRUNAGAIN) {
my_perl
}
}
}
the perl post-auth subrouting simply contains the following:
$RAD_REPLY{'Tmp-String-0'} = 'DONTRUNAGAIN';
This works as expected.
I was just hoping for a more elegant solutions.
Thanks again!!
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:
http://www.pcservices.co.za/disclaimer.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
