ClearBox Server™ v1.2 Developer's Guide

IRADIUSAuthentication::CanAuthenticate

Called by server after user is authenticated with his password.

HRESULT CanAuthenticate( 
	[in] long tag,
	[in] AUTHENTYPE authType, 
	[in] USERINFOLITE * userInf, 
	[out] BSTR * explainString, 
	[out] RADAUTHENREPLY * authenRes);

Parameters

tag: [in] Unique value identifying RADIUS packet in whose context this method is called.
authType: [in] Type of authentication. See Authentication Methods article for more details.
userInf: [in] Describes user being authenticated.
explainString: [out] If extension does not authenticate user and can give human-readable explanation of this decision, it must set this parameter by calling SysAllocString.
authenRes: [out] Extension returns the result of authentication by setting this parameter to appropriate value.

Return Values

If extension returns error code, user is rejected.

Thread Safety

This method is called in context of WORK thread. (See Server Threads Model for details.) You should synchronize data which is shared with other threads.

Memory Management

Memory for userInf fields is allocated and freed by server, so extension must not change them.

Memory for explainString may be allocated by extension and is freed by server.

Remarks

If authenRes=ACCESS_ACCEPT, user is authenticated, and authorization stage may be performed.

If authenRes=ACCESS_REJECT or authenRes=ACCESS_UNDEFINED, user is rejected.

If authenRes=ACCESS_CHALLENGE, IRADIUSAuthentication::GetChallengeResponseAttributes is called and challenge packet is sent back to client.

Example Code

This code rejects all users who try to login earlier than 20:00.

STDMETHODIMP CTest::CanAuthenticate(long tag, AUTHENTYPE authType, USERINFOLITE * userInf, 
	BSTR * explainString, RADAUTHENREPLY * authenRes ) 
{
	SYSTEMTIME systm;
	GetLocalTime(&systm); 
	if (systm.wHour<20)
	{
		*authenRes=ACCESS_REJECT;
		explainString=SysAllocString(L"Please, try after 20:00");
	}
	else 
		*authenRes=ACCESS_ACCEPT;
	return S_OK;
}