Post-auth and Rejected logins
Hi, Hope the following makes sense. I have a perl module that runs in post-auth. It checks various things that confirms whether the user may have access and, if not, would turn an Accept into a Reject. I want this perl module to run whether the authentication previously failed or not. I'm using the documented method of the following: post-auth { my_perl Post-Auth-Type REJECT { my_perl } } The problem comes in here. If authentication failed, the module runs once only (in the Post-Auth-Type REJECT stanza) If authentication was OK, and my perl module also OK's the request, it runs once only (in the non Post-Auth_type REJECT stanza). But If the auhtentication as OK, and my perl module then decides to reject the Authentication (by returning RLM_MODULE_REJECT), the perl module runs twice. I've tried swopping around the post-auth section as follows: post-auth { Post-Auth-Type REJECT { my_perl } my_perl } The REJECT stanza is still executed if the non-REJECT stanza turns the accept into a reject. The only solution I can come up with is to set a Tmp-String, and using unlang try to force the perl to not run again. Does anyone know of a more elegant way? Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-auth and Rejected logins
Johan Meiring wrote: If the auhtentication as OK, and my perl module then decides to reject the Authentication (by returning RLM_MODULE_REJECT), Don't do that. The post-auth section is for running modules AFTER the user has been accepted or rejected. It doesn't make much sense to accept the user, and then reject them. Instead, reject the user earlier in the packet processing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-auth and Rejected logins
On 2011/09/26 11:38 PM, Alan DeKok wrote: Johan Meiring wrote: If the auhtentication as OK, and my perl module then decides to reject the Authentication (by returning RLM_MODULE_REJECT), Don't do that. The post-auth section is for running modules AFTER the user has been accepted or rejected. It doesn't make much sense to accept the user, and then reject them. Instead, reject the user earlier in the packet processing. Hi Alan, What you say makes sense. My perl code used to run in the Authorisation section. The reason I moved it down (to post auth), is because some of my queries are very database intensive (complex system). i.e. What I had was: 1) Authorisation (using rlm_perl): Check various stuff If OK so far, create Cleartext-Password, else reject 2) Authentication, PAP/CHAP/whatever What I tried to avoid was that the check various stuff runs if the user supplied the wrong password. I therefore modified the setup as follows: 1) Authorisation - Create Cleartext-Password (using rlm_mysql) 2) Authentication - PAP/CHAP/whatever 3) Post-Auth - Check the various stuff and reject (using rlm_perl) This saves a lot of unnecesary (database) CPU cycles. Using a Tmp-String works. My post-auth now looks as follows: post-auth { my_perl Post-Auth-Type REJECT { if (%{reply:Tmp-String-0} != DONTRUNAGAIN) { my_perl } } } the perl post-auth subrouting simply contains the following: $RAD_REPLY{'Tmp-String-0'} = 'DONTRUNAGAIN'; This works as expected. I was just hoping for a more elegant solutions. Thanks again!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html