Allow "eap" in Post-Auth-Type Reject

which sends EAP failure and Message-Authenticator

diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index 520ccbc..dd12b60 100644 (file)
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -157,6 +157,8 @@ authorize {
                ok = return
        }
 
+       reject
+
        #
        #  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
        #  using the system API's to get the password.  If you want
@@ -575,6 +577,12 @@ post-auth {
        Post-Auth-Type REJECT {
                # log failed authentications in SQL, too.
 #              sql
+
+               # Insert EAP-Failure message if the request was
+               # rejected by policy instead of because of an
+               # authentication failure
+               eap
+
                attr_filter.access_reject
        }
 }

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index c05105c..ecdf7f8 100644 (file)
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -538,6 +538,7 @@ VALUE       Session-Type                    Local                   0
 #
 #      And Post-Auth
 VALUE  Post-Auth-Type                  Local                   0
+VALUE  Post-Auth-Type                  Reject                  2
 
 #
 #      Experimental Non-Protocol Integer Translations for FreeRADIUS

diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c
index e165b73..d8a8a77 100644 (file)
--- a/src/modules/rlm_eap/rlm_eap.c
+++ b/src/modules/rlm_eap/rlm_eap.c
@@ -732,6 +732,62 @@ static int eap_post_proxy(void *inst, REQUEST *request)
 }
 #endif
 
+static int eap_post_auth(void *instance, REQUEST *request)
+{
+       rlm_eap_t       *inst = instance;
+       VALUE_PAIR      *vp;
+       EAP_HANDLER     *handler;
+       eap_packet_t    *eap_packet;
+
+       /*
+        *      Only build a failure message if something previously rejected the request
+        */
+       vp = pairfind(request->config_items, PW_POSTAUTHTYPE);
+
+       /*
+        *      Post-Auth-Type REJECT in dictionary.freeradius.internal
+        */
+       if (!vp || (vp->vp_integer != 2)) return RLM_MODULE_NOOP;
+
+       if (!pairfind(request->packet->vps, PW_EAP_MESSAGE)) {
+               RDEBUG2("Request didn't contain an EAP-Message, not inserting EAP-Failure");
+               return RLM_MODULE_NOOP;
+       }
+
+       if (pairfind(request->reply->vps, PW_EAP_MESSAGE)) {
+               RDEBUG2("Reply already contained an EAP-Message, not inserting EAP-Failure");
+               return RLM_MODULE_NOOP;
+       }
+
+       eap_packet = eap_vp2packet(request->packet->vps);
+       if (!eap_packet) {
+               RDEBUG("Malformed EAP Message");
+               return RLM_MODULE_FAIL;
+       }
+
+       handler = eap_handler(inst, &eap_packet, request);
+       if (!handler) {
+               RDEBUG2("Failed to get handler, probably already removed, not inserting EAP-Failure");
+               return RLM_MODULE_NOOP;
+       }
+
+       RDEBUG2("Request was previously rejected, inserting EAP-Failure");
+       eap_fail(handler);
+       eap_handler_free(inst, handler);
+
+       /*
+        * Make sure there's a message authenticator attribute in the response
+        * RADIUS protocol code will calculate the correct value later...
+        */
+       vp = pairfind(request->reply->vps, PW_MESSAGE_AUTHENTICATOR);
+       if (!vp) {
+               vp = pairmake("Message-Authenticator", "0x00", T_OP_EQ);
+               pairadd(&request->reply->vps, vp);
+       }
+
+       return RLM_MODULE_UPDATED;
+}
+
 /*
  *     The module name should be the only globally exported symbol.
  *     That is, everything else should be 'static'.
@@ -754,6 +810,6 @@ module_t rlm_eap = {
 #else
                NULL,
 #endif
-               NULL                    /* post-auth */
+               eap_post_auth           /* post-auth */
        },
 };