|ClearBox Server v1.2 Developer's Guide|
Common Authentication Process
Generic authentication process is used when server implements ICommonAuthentication. It is used both by TACACS+ and RADIUS, containing generic methods to retrieve user's password and check it. Generally, server deals with authentication protocols (PAP, CHAP, MS CHAP, MS CHAPv2, ARAP, EAP-MD5) while extension is responsible for just storing users' passwords.
First, when server receives a packet with authentication request, it determines its authentication protocol by attributes, present in the packet.
Then, server gets user password calling ICommonAuthentication::GetUserPassword.
If user is not found by his name, extension should set userExist parameter to VARIANT_FALSE, and authentication process terminates, rejecting user and calling ICommonAuthentication::LogonStatus with authRes parameter set to AR_NOUSER.
If extension reports that no authentication should be made for the user, setting ignorePassword parameter to VARIANT_TRUE, user's password is not checked, and common authentication ends successfully.
If user is found, and his password should be checked, clearTextPassword parameter is examined.
If common authentication process ends successfully, RADIUS specific or TACACS+ specific authentication is performed if supported by server extension. If it is passed, ICommonAuthentication::LogonStatus is called with authRes set to AR_OK. If server extension did not authenticate user, ICommonAuthentication::LogonStatus is called with authRes set to AR_EXTNDREJ, and user is rejected.
© 2001-2003 XPerience Technologies. www.xperiencetech.com
|Created by chm2web html help conversion utility.|