ClearBox Server™ v1.2 Developer's Guide

Common Authentication Process

Generic authentication process is used when server implements ICommonAuthentication. It is used both by TACACS+ and RADIUS, containing generic methods to retrieve user's password and check it. Generally, server deals with authentication protocols (PAP, CHAP, MS CHAP, MS CHAPv2, ARAP, EAP-MD5) while extension is responsible for just storing users' passwords.

Common authentication is performed mostly in conjunction with RADIUS authentication or TACACS+ authentication.

First, when server receives a packet with authentication request, it determines its authentication protocol by attributes, present in the packet.

Then, server gets user password calling ICommonAuthentication::GetUserPassword.

If user is not found by his name, extension should set userExist parameter to VARIANT_FALSE, and authentication process terminates, rejecting user and calling ICommonAuthentication::LogonStatus with authRes parameter set to AR_NOUSER.

If extension reports that no authentication should be made for the user, setting ignorePassword parameter to VARIANT_TRUE, user's password is not checked, and common authentication ends successfully.

If user is found, and his password should be checked, clearTextPassword parameter is examined.

  • If extension has provided user's password in clear text, it is checked against password found in request packet. If sent password is correct, common authentication process ends successfully. If passwords mismatch, user is rejected, and ICommonAuthentication::LogonStatus is called with authRes set to AR_WRONGPWD.
  • If user password is not available to extension in clear text, and it is present in request packet unencrypted (for AT_PAP authentication method only), ICommonAuthentication::CheckPassword is called to make extension check the password. If passwords mismatch, user is rejected, and ICommonAuthentication::LogonStatus is called with authRes set to AR_WRONGPWD. If passwords match, common authentication process ends successfully.
  • If no clear text password is available to extension and it is encrypted in request packet, user is rejected, and ICommonAuthentication::LogonStatus is called with authRes set to AR_NOPWD.

If common authentication process ends successfully, RADIUS specific or TACACS+ specific authentication is performed if supported by server extension. If it is passed, ICommonAuthentication::LogonStatus is called with authRes set to AR_OK. If server extension did not authenticate user, ICommonAuthentication::LogonStatus is called with authRes set to AR_EXTNDREJ, and user is rejected.

See also

Authentication concepts, RADIUS authentication, TACACS+ authentication


© 2001-2003 XPerience Technologies. www.xperiencetech.com

Created by chm2web html help conversion utility.