inside Auth-Type has different rules
Hello, I have following configuration: authenticate { Auth-Type CHAP { chap db_backend chap { ok = 1 } db_backend } } First chap module call should handle cases when Cleartext-Password already set (for example, by files module). If there is Cleartext-Password, chap module returns *ok* or *reject*, so authentication should stop on these return codes. If there is no Cleartext-Password, chap module returns *invalid*, so authentication should proceed further. db_backend is a custom module that uses backend database. First db_backend call returns: - *ok* if backend database do not want password checking, - *reject* if backend database want to reject authentication, - *handled* if Proxy-To-Realm returned from backend database, - *updated* if Cleartext-Password returned from backend database. Authentication should stop on *ok*, *reject*, and *handled* return codes, and should proceed on *updated* return code. Second chap module call should check CHAP-Password against Cleartext-Password. Return code *ok* handling changed to proceed with authentication if password is correct. Second db_backend call returns *ok*, *reject*, or *handled* like first db_backend call. In freeradius 1.1.x this configuration works fine. In freeradius 2.1.x it doesn't work. I found that in freeradius 2.0.2 return code handling in Auth-Type subsections was changed. In freeradius 1.1.x return code handling was: - return notfound, ok, reject, userlock, handled - save noop, updated, fail, invalid (all with priority 1) In freeradius 2.1.x (starting with 2.0.2) return code handling is identical to authorize section: - save notfound (prio 1), noop (prio 2), ok (prio 3), updated (prio 4) - return fail, reject, userlock, invalid, handled This change was committed by commit id 4719ed0ce65f19586364. What is the reason for the change? It changes requirements for module return codes. Moreover, return code handling was changed only in Auth-Type subsections, not in authenticate section. When module's authenticate hook is called module has no clue is it called from authenticate section or from Auth-Type subsection. Regards, Iliya Peregoudov
Iliya Peregoudov wrote:
I have following configuration:
authenticate { Auth-Type CHAP { chap db_backend chap { ok = 1 } db_backend } }
That configuration is wrong. The purpose of the "authenticate" section is to do authentication. If you're doing DB lookups, then those lookups belong in the "authorize" section.
First chap module call should handle cases when Cleartext-Password already set (for example, by files module). If there is Cleartext-Password, chap module returns *ok* or *reject*, so authentication should stop on these return codes. If there is no Cleartext-Password, chap module returns *invalid*, so authentication should proceed further.
Why not do those checks in the "authorize" section? authorize { ... files if (notfound) { db_backend } ... }
In freeradius 1.1.x this configuration works fine. In freeradius 2.1.x it doesn't work.
It's not supposed to work.
What is the reason for the change? It changes requirements for module return codes. Moreover, return code handling was changed only in Auth-Type subsections, not in authenticate section. When module's authenticate hook is called module has no clue is it called from authenticate section or from Auth-Type subsection.
Exactly. The change allowed people to put better policies into the authenticate sub-sections. Alan DeKok.
participants (2)
-
Alan DeKok -
Iliya Peregoudov