ClearBox Server™ v1.2 Developer's Guide

ITACACSRealmStripping::TACACSRealmStripAuthorAcct

Called by server to determine whether the request authorization or accounting packet will be forwarded and to strip user name and realm name from the the packet content.

HRESULT TACACSRealmStripAuthorAcct(
	[in] long tag,
	[in] VARIANT_BOOL authorPacket,
	[in,out] TAC_AUTHORPARAMS * authorParams,
	[in,out] FORWARDADDRESS * fwdAddress,
	[out] VARIANT_BOOL * forwardPacket,
	[out] VARIANT_BOOL * nameOK);

Parameters

tag
[in] Unique value identifying TACACS+ packet in whose context this method is called.
authorPacket
[in] Specifies whether it is authorization packet (VARIANT_TRUE) or accounting (VARIANT_FALSE).
authorParams
[in,out] Describes user. If extension wants to change user's name, it must reallocate user field with call to SysReAllocString. If extension is capable of realms stripping, realmName may be allocated as realm name string with SysAllocString.
fwdAddress
[in,out] If extension decides to instruct NAS to forward this request, this parameter must be set to VARIANT_TRUE, VARIANT_FALSE to process packet locally.
forwardPacket
[out] If extension proxies this request and forwardPacket is set to VARIANT_TRUE, proxyIPAddress field of this parameter must be set to host address to which packet should be forwarded.
nameOK
[out] If user name has vaild format and/or packet is forwarded, then this must be set to VARIANT_TRUE. Otherwise packet will be rejected.

Return Values

If extension returns error code, and authorStripping=VARIANT_TRUE, it is assumed that user didn't passed authorization, accounting error status is sent back otherwise.

Thread Safety

This method is called in context of WORK thread. (See Server Threads Model for details.) You should synchronize data which is shared with other threads.

Memory Management

Memory for authorParams is allocated and freed by server. realmName field has NULL value and may be allocated by extension with call to SysAllocString. If extension changes name field, it must reallocate memory for it with SysReAllocString.

Remarks

Server can proxy TACACS+ packets via FOLLOW response only. In this case server instructs NAS (TACACS+ client) to resend packet to specified alternate TACACS+ server, and NAS is responsible for packet forwarding.

Example Code

This code will forward all accounting packets received from 192.168.2.3 host to 127.0.0.1.

STDMETHODIMP CTest::TACACSRealmStripAuthorAcct(
	long tag, VARIANT_BOOL authorStripping,
	TAC_AUTHORPARAMS * authorParams,
	FORWARDADDRESS * fwdAddress,
	VARIANT_BOOL * forwardPacket, VARIANT_BOOL * nameOK)
{
	*forwardPacket=VARIANT_FALSE;
	*nameOK=VARIANT_TRUE;
	if (authorPacket==VARIANT_FALSE && 
		authorParams->clientIPAddress==inet_addr("192.168.2.3"))
	{
		*forwardPacket=VARIANT_TRUE;
		fwdAddress->proxyIPAddress=inet_addr("127.0.0.1");
		// Other fields are not used with TACACS+
	}
	return S_OK;
}

See Also

ITACACSRealmStripping, Realms and packet forwarding, TACACS+ realm stripping and forwarding process

© 2001-2003 XPerience Technologies. www.xperiencetech.com

Created by chm2web html help conversion utility.