Reporting from logs
Matthew Newton
mcn4 at leicester.ac.uk
Tue Sep 25 22:49:53 CEST 2012
On Tue, Sep 25, 2012 at 06:08:04PM +0100, Phil Mayers wrote:
> On 25/09/12 17:25, Matthew Newton wrote:
>
> >I've been looking at the code recently to also see if the
> >Post-Auth REJECT in inner-tunnel can be fixed. I can see an easy
> >and fairly obvious of doing it, but the right way seems to involve
> Ah I remember this. It's because rad_authenticate calls rad_postauth
> if authentication succeeds, but relies on request_finish to call
> rad_postauth in the case of failure.
That's the one.
> I did think about this myself; one option is to call rad_postauth
> manually if rad_authenticate(fake) fails in peap.c - which I guess
> is the easy/obvious solution you're referring to? Certainly
> preferable to the current situation IMO.
Yes. I'm just testing that to see if it behaves as expected - will
post a patch for discussion if it seems OK.
> The "Post-Auth-Type REJECT" stuff did originally live in
> rad_authenticate - it was removed in commit 47a090897a. Not sure
> what the rationale was - something to do with reject_delay? - so I
> was unwilling to fiddle. Alan, can you comment?
I guess reject_delay makes sense - assuming that post_auth should
be delayed until the same time as the reply packet. I'm not
knowledgable enought to know why the two should happen at the same
time (e.g. why post_auth can't happen a little while before the
actual reject is sent back). Assuming that is the reason, anyway.
However, for a virtual server, there won't be a reject delay, so
that's not a problem.
Looking at the code, rad_authenticate seems to have a lot of
legacy stuff in it, and seems to have quite a "jumpy" code path
(lots of ifs that can jump over each other). Especially calling
post_auth on success, but not on failure, seems the wrong thing to
do - it would be better (IMHO) for consistency to not call
post_auth at all, and leave it up to the calling function to
handle it. Maybe it could do with a bit of a tidy? I'll try and
have a look.
Cheers,
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Devel
mailing list