A question about Response-Packet-Type Attribute

Oleg Kravtsov oleg_box at mail.ru
Thu Jun 23 16:21:57 CEST 2005 

Hi Everybody,

I found the solution to the task I described, it is quite simple. I 
would like to share the solution with you just in case you want the same 
feature in the future.

I've added post-auth callback for "files" module, which actually just 
calls callback used for authentication.

post-auth callback is called only in case we successfully authenticated 
and so we can use it only when Access-Accept is going to be sent.
In case of Access-Challenge we did not go to this section, so that we 
can write configuration file like the following:

"users" file:

# This rule will be applied only in case RADIUS Server sends 
Access-Accept message,
# You can add any attributes you want to be sent in Accept message, and 
olse
# overwrite (or remove) attributes added in common rule (specified below).
"oleg"    Response-Packet-Type == Access-Accept, User-Password == "oleg 
pass"
              Acct-Interim-Interval := 60,
              Idle-Timeout := 20,
              Class := "Accept Class",
              Session-Timeout := 50, # We want Session-Timeout attribute 
with 50 in Access-Accept (without this line we will get 100 value, which 
is set in "common rule")
              Termination-Action := 0,
              Session-Timeout -= 100 # this is an example of removing 
attribute from Access-Accept message, which was added in common rule.

# Common rule
# We enter this rule any time we get Access-Request message before 
authentication takes place.
# Here we should add a set of attributes we want to be included in 
Access-Challenge messages.
# If you should take care about not including some of these attributes 
in Access-Accept messages,
# you need to remove them explicitly in the previous rule.
"oleg"    User-Password == "oleg pass"
              Session-Timeout := 100 # We want Session-Timeout attribute 
with 100 in Access-Accept

Also we should add "files" module into post-auth section - add in 
"radiusd.conf" file a single line:
post-auth {
...
# The following line is a new one.
       files
...
}

What should be added in sources:
------------------------------------------

src/modules/rlm_files/rlm_files.c

Add this function:
/*
 *      Execute postauth_query after authentication
 */
static int file_postauth(void *instance, REQUEST *request) {
        return file_authorize(instance, request);
}

Modify the following variable:
module_t rlm_files = {
   ...
}

instead of line:
NULL                    /* post-auth */

put:
file_postauth           /* post-auth */

Yes, it is pretty simple.

How it works:
------------------
First on "auth" action server skips the first "oleg" user entry as 
Response-Packet-Type is still "0", and we match the second entry. This 
entry should keep a set of attributes we need to include in 
Access-Challenge packet (in our case Session-Timeout equals to 100).
When server decides that it is time to send Access-Accept message it 
does "post-auth" action, and in our case users file is processed again. 
This time Response-Packet-Type attribute is Access-Accep, so that we 
overwrite all the attributes set on "auth" action with new ones (using 
+= operators).

Hope that will help someone.

Best Regards,
Oleg.

PS: I've been really delighted reading your sources - well-done work! 
Thank you.

More information about the Freeradius-Users mailing list