inside Auth-Type has different rules

Iliya Peregoudov iperegudov at cboss.ru
Fri Oct 1 15:30:04 CEST 2010 

Hello,

I have following configuration:

authenticate {
   Auth-Type CHAP {
     chap
     db_backend
     chap {
       ok = 1
     }
     db_backend
   }
}

First chap module call should handle cases when Cleartext-Password 
already set (for example, by files module). If there is 
Cleartext-Password, chap module returns *ok* or *reject*, so 
authentication should stop on these return codes. If there is no 
Cleartext-Password, chap module returns *invalid*, so authentication 
should proceed further.

db_backend is a custom module that uses backend database. First 
db_backend call returns:
- *ok* if backend database do not want password checking,
- *reject* if backend database want to reject authentication,
- *handled* if Proxy-To-Realm returned from backend database,
- *updated* if Cleartext-Password returned from backend database.
Authentication should stop on *ok*, *reject*, and *handled* return 
codes, and should proceed on *updated* return code.

Second chap module call should check CHAP-Password against 
Cleartext-Password. Return code *ok* handling changed to proceed with 
authentication if password is correct.

Second db_backend call returns *ok*, *reject*, or *handled* like first 
db_backend call.

In freeradius 1.1.x this configuration works fine.
In freeradius 2.1.x it doesn't work.

I found that in freeradius 2.0.2 return code handling in Auth-Type 
subsections was changed. In freeradius 1.1.x return code handling was:

- return notfound, ok, reject, userlock, handled
- save noop, updated, fail, invalid (all with priority 1)

In freeradius 2.1.x (starting with 2.0.2) return code handling is 
identical to authorize section:

- save notfound (prio 1), noop (prio 2), ok (prio 3), updated (prio 4)
- return fail, reject, userlock, invalid, handled

This change was committed by commit id 4719ed0ce65f19586364.

What is the reason for the change? It changes requirements for module 
return codes. Moreover, return code handling was changed only in 
Auth-Type subsections, not in authenticate section. When module's 
authenticate hook is called module has no clue is it called from 
authenticate section or from Auth-Type subsection.

Regards,
Iliya Peregoudov

More information about the Freeradius-Users mailing list