ClearBox Server™ v1.2 Developer's Guide

ITACACSProxyPolicy::CheckAuthentication

Called by server before forwarding authentication packet (via FOLLOW action) to remote server to give extension chance to reject packet.

HRESULT CheckAuthentication(
	[in] long tag,
	[in] TAC_AUTHEN_LITE * authenInfo,
	[out] VARIANT_BOOL * authenOK);

Parameters

tag
[in] Unique value identifying TACACS+ packet in whose context this method is called.
authenInfo
[in] Authentication packet data.
authenOK
[out] Specifies whether extension allows to forward the packet (VARIANT_TRUE), or server should reject user (VARIANT_FALSE).

Return Values

If extension returns error code, it is assumed that packet will be forwarded normally.

Thread Safety

This method is called in context of WORK thread. (See Server Threads Model for details.) You should synchronize data which is shared with other threads.

Memory Management

Memory for authenInfo fields is allocated and freed by server, so extension must not change them.

Remarks

Although server extension may reject packet in ITACACSRealmStripping::TACACSRealmStripAuthen, it is more clear logically to make it hear, as TACACSRealmStripAuthen is suited for realm stripping.

Example Code

This code will reject all users requesting privilege level higher than 1, all other packets are forwarded.

STDMETHODIMP CTest::CheckAuthentication(
	long tag, TAC_AUTHEN_LITE * authenInfo,
	VARIANT_BOOL * authenOK)
{
	if (authenInfo->privilege_level>1)
		*authenOK=VARIANT_FALSE;
	else
		*authenOK=VARIANT_TRUE;
	return S_OK;
}

See Also

ITACACSProxyPolicy, TACACS+ realm stripping and forwarding process


© 2001-2003 XPerience Technologies. www.xperiencetech.com

Created by chm2web html help conversion utility.