ClearBox Server v1.2 Developer's Guide |
Step 7. Implementing RADIUS and TACACS+ AuthenticationOn this step we implement methods of IRADIUSAuthentication and ITACACSAuthentication interfaces. We use them to control allowed authentication methods. 1. Create with a Add Function... wizard a method common for TACACS+ and RADIUS that authenticated user and checks if their accounts are valid. Set the following parameters:
Set its body to the following: bool CheckAuthentication(AUTHENTYPE authType, CString userName, CString& explainString) { bool res=false; switch(authType) { case AT_ASCII: case AT_PAP: res=m_PAPallowed; break; case AT_CHAP: res=m_CHAPallowed; break; case AT_MSCHAP: res=m_MSCHAPallowed; break; case AT_MSCHAPv2: res=m_MSCHAP2allowed; break; } if (!res) { explainString=_T("Unallowed authentication method"); return false; } if (m_AuthenType!=db) return true; CCommand First it checks whether some authentication was allowed in settings.ini file or not. If it's not allowed, user is rejected. Next if authentication is made through a database, user account is queried. User is rejected if Enabled field is false, if ValidSince is not null and is greater than current time or ValidTill time has expired. 2. Double-click first CanAuthenticate child node of CExtension in the Class View window. Change this method to the following: STDMETHOD(CanAuthenticate)(long tag, AUTHENTYPE authType, USERINFOLITE * userInf, BSTR * explainString, RADAUTHENREPLY * AUTHENRESULT) { USES_CONVERSION; CString expStr; bool res=CheckAuthentication(authType,W2T(userInf->userName),expStr); if (!res) { *AUTHENRESULT=ACCESS_REJECT; *explainString=expStr.AllocSysString(); } else *AUTHENRESULT=ACCESS_ACCEPT; return S_OK; } This method calls CheckAuthentication function we've just created. 3. Next we implement ITACACSAuthentication::CanAuthenticate in almost the same way: STDMETHOD(CanAuthenticate)(long tag, TAC_AUTHEN_LITE * authenParams, BSTR * explainString, unsigned char * tacacsStatus) { USES_CONVERSION; CString expStr; bool res=CheckAuthentication((AUTHENTYPE)authenParams->authentication_type, W2T(authenParams->user),expStr); if (!res) { *tacacsStatus=TAC_PLUS_AUTHEN_STATUS_FAIL; *explainString=expStr.AllocSysString(); } else *tacacsStatus=TAC_PLUS_AUTHEN_STATUS_PASS; return S_OK; } The only trick here is to cast authentication_type to AUTHENTYPE enumeration as they have the same values. 4. Finally we have to make GetRejectResponseAttributes, GetChallengeResponseAttributes and ChallengeDataReply methods return S_OK as we need not to implement them. Now our server extension is capable of authenticating users.
© 2001-2003 XPerience Technologies. www.xperiencetech.com |
Created by chm2web html help conversion utility. |