ClearBox Server™ v1.2 Developer's Guide

IRADIUSAuthentication::ChallengeDataReply

Called when server receives response to its previous challenge-request.

HRESULT ChallengeDataReply(
	[in] long tag,
	[in] long prevTag,
	[in] AUTHENTYPE authType,
	[in] USERINFOLITE * userInf,
	[in] RADIUS_ATTRIBUTE* stored,
	[out] RADAUTHENREPLY * authenRes);

Parameters

tag
[in] Unique value identifying RADIUS packet in whose context this method is called.
prevTag
[in] Unique value identifying RADIUS challenge packet.
authType
[in] Type of authentication. See Authentication Methods article for more details.
userInf
[in] Describes user.
stored
[in] RADIUS attribute that was requested by server extension in the waitForAttribute parameter in server extension GetChallengeResponseAttributes implementation. Despite of natural attribute type, stored always has RADSTR type, and strSize and strValue fields of stored contain valid values. If User-Password attribute was requested, strValue contains unencrypted value. If no requested attribute was found in Access-Request type filed of stored is 0, and whole attribute is invalid.
authenRes
[out] Extension returns the result of authentication by setting this parameter to appropriate value.

Return Values

If extension returns error code, user is rejected.

Thread Safety

This method is called in context of WORK thread. (See Server Threads Model for details.) You should synchronize data which is shared with other threads.

Memory Management

Memory for userInf fields is allocated and freed by server, so extension must not change them.

Memory for fields in stored parameter is allocated and freed by server.

Remarks

If challenge response was received, but IRADIUSAuthentication is not implemented, user is rejected.

stored attribute may be invalid (i.e. with zero type field) if requested attribute was not found or it has expired and has been deleted after time specified in Server Manager -> Server settings -> Agent settings -> Free lost RADIUS resources after...

Example Code

This code assumes that in response to first access packet challenge was sent with prompt to the user "Input your secret". If next request packet does not contain user's response in User-Password attribute or value he has entered is incorrect (does not match with hard-coded string "weexpectedit"), user is rejected.

STDMETHODIMP CTest::ChallengeDataReply(long tag,
	long prevTag, AUTHENTYPE authType,
	USERINFOLITE * userInf, RADIUS_ATTRIBUTE stored,
	RADAUTHENREPLY * authenRes)
{
	if (stored->type!=2) // It is not "User-Password" attribute
	{
		*authenRes=ACCESS_REJECT;
		return S_OK;
	}
	
	if (strncmp(reinterpret_cast<const char*>(stored->strValue),
		"weexpectedit",stored->strSize)==0)
		*authenRes=ACCESS_ACCEPT;
	else
		*authenRes=ACCESS_REJECT;
	return S_OK;
}

See Also

IRADIUSAuthentication, IRADIUSAuthentication::GetChallengeResponseAttributes, Authentication concepts, RADIUS specific authentication


© 2001-2003 XPerience Technologies. www.xperiencetech.com

Created by chm2web html help conversion utility.