ClearBox Server™ v1.2 Developer's Guide


This method is called when server needs to know secret key shared with specified client and
a) caching of client keys is turned off or
b) it is the first time client sent a request from this address.

HRESULT GetClientConnectionKey(
	[in] long clientIPAddr,
	[in] VARIANT_BOOL tacConnection,
	[in] VARIANT_BOOL authenPacket,
	[out] BSTR * connKey);


[in] IP address of client for which key is requested.
[in] Specifies whether it is TACACS+ client (VARIANT_TRUE) or RADIUS client (VARIANT_FALSE).
[in] Specifies whether it is an authentication request from client (VARIANT_TRUE) or accounting (VARIANT_FALSE). Flag is valid for RADIUS clients only.
[out] Extension returns key in this parameter. If there's no key associated with the client, then it must be set to NULL.
Note that key length must not be longer than 256 characters. If a string returned by server extension in connKey exceeds this limit, it is treated as if no key was returned.

Return Values

If extension returns code other than S_OK, it is assumed that key was not found.

Thread Safety

This method is called in context of RAD, TAC, WORK and PROX threads. (See Server Threads Model for details.) You should synchronize data which is shared with other threads.

Memory Management

Extension must allocate memory for connKey by SysAllocString if it wants to return key or set it to NULL otherwise.


If connKey is not set (extension did not provide a key) and tacConnection=VARIANT_FALSE, RADIUS packet is discarded.

If connKey is not set (extension did not provide a key) and tacConnection=VARIANT_TRUE and TACACS+ security settings require the key, TCP connection with TACACS+ client is closed.

ClearBox Server allows to maintain separate secrets for RADIUS authentication and accounting ports.

Example Code

This code returns two different keys for authentication and accounting RADIUS clients, ignoring IP address of client. No key is returned for TACACS+ clients.

STDMETHODIMP CTest::GetClientConnectionKey(long clientIPAddr, 
	VARIANT_BOOL tacConnection,
	VARIANT_BOOL authenPacket, 
	BSTR * connKey)
	if (tacConnection==VARIANT_FALSE) // It is RADIUS packet
		if (authenPacket==VARIANT_TRUE)
		*connKey=NULL; //We don't deal with TACACS+ clients
	return S_OK;

See Also

ICommonExtender, RADIUS secrets, TACACS+ secrets

© 2001-2003 XPerience Technologies.

Created by chm2web html help conversion utility.