Add EAP-Failure if EAP is called in Post-Auth REJECT and no EAP-Message has been...

diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index 20c72ac..281f04a 100644 (file)
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -575,6 +575,10 @@ post-auth {
 #              sql
                attr_filter.access_reject
 
+               # Insert EAP-Failure message if the request was rejected by policy
+               # instead of because of an authentication failure
+               eap
+
                #  Remove reply message if the response contains an EAP-Message
                remove_reply_message_if_eap
        }

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index 15ac53e..56c34a1 100644 (file)
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -464,6 +464,7 @@ VALUE       Session-Type                    Local                   0
 #
 #      And Post-Auth
 VALUE  Post-Auth-Type                  Local                   0
+VALUE  Post-Auth-Type                  Reject                  1
 
 #
 #      Experimental Non-Protocol Integer Translations for FreeRADIUS

diff --git a/src/include/radius.h b/src/include/radius.h
index 3d9c221..66f4331 100644 (file)
--- a/src/include/radius.h
+++ b/src/include/radius.h
@@ -291,6 +291,10 @@
 #define PW_AUTHTYPE_ACCEPT             254
 #define PW_AUTHTYPE_MS_CHAP            1028
 
+/* Post-auth types */
+#define PW_POSTAUTHTYPE_LOCAL   0
+#define PW_POSTAUTHTYPE_REJECT  1
+
 /*     Port Types              */
 
 #define PW_NAS_PORT_ASYNC              0

diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c
index c91bd0e..4dbbf8d 100644 (file)
--- a/src/modules/rlm_eap/rlm_eap.c
+++ b/src/modules/rlm_eap/rlm_eap.c
@@ -731,6 +731,49 @@ static int eap_post_proxy(void *inst, REQUEST *request)
 }
 #endif
 
+static int eap_post_auth(void *instance, REQUEST *request)
+{
+       rlm_eap_t       *inst = instance;
+       VALUE_PAIR      *vp;
+       EAP_HANDLER     *handler;
+       eap_packet_t    *eap_packet;
+       
+       /*
+        * Only build a failure message if something previously rejected the request
+        */
+       vp = pairfind(request->config_items, PW_POSTAUTHTYPE, 0);
+
+       if (!vp || (vp->vp_integer != PW_POSTAUTHTYPE_REJECT)) return RLM_MODULE_NOOP;
+       
+       if (!pairfind(request->packet->vps, PW_EAP_MESSAGE, 0)) {
+               RDEBUG2("Request didn't contain an EAP-Message, not inserting EAP-Failure");
+               return RLM_MODULE_NOOP;
+       }
+       
+       if (pairfind(request->reply->vps, PW_EAP_MESSAGE, 0)) {
+               RDEBUG2("Reply already contained an EAP-Message, not inserting EAP-Failure");
+               return RLM_MODULE_NOOP;
+       }
+       
+       eap_packet = eap_vp2packet(request->packet->vps);
+       if (eap_packet == NULL) {
+               radlog_request(L_ERR, 0, request, "Malformed EAP Message");
+               return RLM_MODULE_FAIL;
+       }
+
+       handler = eap_handler(inst, &eap_packet, request);
+       if (handler == NULL) {
+               RDEBUG2("Failed to get handler, probably already removed, not inserting EAP-Failure");
+               return RLM_MODULE_NOOP;
+       }
+
+       RDEBUG2("Request was previously rejected, inserting EAP-Failure");
+       eap_fail(handler);
+       eap_handler_free(inst, handler);
+
+       return RLM_MODULE_UPDATED;
+}
+
 /*
  *     The module name should be the only globally exported symbol.
  *     That is, everything else should be 'static'.
@@ -753,6 +796,6 @@ module_t rlm_eap = {
 #else
                NULL,
 #endif
-               NULL                    /* post-auth */
+               eap_post_auth           /* post-auth */
        },
 };