ok = return
}
+ reject
+
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
# sql
+
+ # Insert EAP-Failure message if the request was
+ # rejected by policy instead of because of an
+ # authentication failure
+ eap
+
attr_filter.access_reject
}
}
}
#endif
+static int eap_post_auth(void *instance, REQUEST *request)
+{
+ rlm_eap_t *inst = instance;
+ VALUE_PAIR *vp;
+ EAP_HANDLER *handler;
+ eap_packet_t *eap_packet;
+
+ /*
+ * Only build a failure message if something previously rejected the request
+ */
+ vp = pairfind(request->config_items, PW_POSTAUTHTYPE);
+
+ /*
+ * Post-Auth-Type REJECT in dictionary.freeradius.internal
+ */
+ if (!vp || (vp->vp_integer != 2)) return RLM_MODULE_NOOP;
+
+ if (!pairfind(request->packet->vps, PW_EAP_MESSAGE)) {
+ RDEBUG2("Request didn't contain an EAP-Message, not inserting EAP-Failure");
+ return RLM_MODULE_NOOP;
+ }
+
+ if (pairfind(request->reply->vps, PW_EAP_MESSAGE)) {
+ RDEBUG2("Reply already contained an EAP-Message, not inserting EAP-Failure");
+ return RLM_MODULE_NOOP;
+ }
+
+ eap_packet = eap_vp2packet(request->packet->vps);
+ if (!eap_packet) {
+ RDEBUG("Malformed EAP Message");
+ return RLM_MODULE_FAIL;
+ }
+
+ handler = eap_handler(inst, &eap_packet, request);
+ if (!handler) {
+ RDEBUG2("Failed to get handler, probably already removed, not inserting EAP-Failure");
+ return RLM_MODULE_NOOP;
+ }
+
+ RDEBUG2("Request was previously rejected, inserting EAP-Failure");
+ eap_fail(handler);
+ eap_handler_free(inst, handler);
+
+ /*
+ * Make sure there's a message authenticator attribute in the response
+ * RADIUS protocol code will calculate the correct value later...
+ */
+ vp = pairfind(request->reply->vps, PW_MESSAGE_AUTHENTICATOR);
+ if (!vp) {
+ vp = pairmake("Message-Authenticator", "0x00", T_OP_EQ);
+ pairadd(&request->reply->vps, vp);
+ }
+
+ return RLM_MODULE_UPDATED;
+}
+
/*
* The module name should be the only globally exported symbol.
* That is, everything else should be 'static'.
#else
NULL,
#endif
- NULL /* post-auth */
+ eap_post_auth /* post-auth */
},
};