ClearBox Server™ v1.2 Developer's Guide

IRADIUSAuthorization::GetResponseAttributes

Called by server to obtain from extension RADIUS list of Response attributes. These attributes will be included in response packet. Also extension makes authorization processing here.

HRESULT GetResponseAttributes(
	[in] long tag,
	[in] USERINFOLITE * userInf,
	[in] unsigned long attrNumIn,
	[in] RADIUS_ATTRIBUTE * inpAttributes,
	[out] unsigned long * attrNumOut,
	[out] RADIUS_ATTRIBUTE * * outpAttributes,
	[out] BSTR * explainString,
	[out] RADAUTHENREPLY * replyType);

Parameters

tag: [in] Unique value identifying RADIUS packet in whose context this method is called.
userInf: [in] Describes user.
attrNumIn: [in] Number of RADIUS attributes pointed by inpAttributes array.
inpAttributes: [in] Array of RADIUS attributes from request RADIUS packet. Is NULL (and attrNumIn=0) if extension returns S_FALSE in preceding call to IRADIUSAuthorization::NeedAllAttributes.
attrNumOut: [out] If extension returns Response attributes, it must set this parameter to the number of attributes in array pointed by outpAttributes.
outpAttributes: [out] If extension returns Response attributes, it must set this parameter to array of attributes allocated by calling CoTaskMemAlloc.
explainString: [out] If extension rejects user, it may set this parameter to a string, describing reject reason, by calling SysAllocString.
replyType: [out] Extension must return authorization result in this parameter.

Return Values

If extension returns error code, it is assumed that no attributes were returned and replyType=ACCESS_UNDEFINED was specified.

Thread Safety

This method is called in context of WORK thread. (See Server Threads Model for details.) You should synchronize data which is shared with other threads.

Memory Management

Memory for userInf fields is allocated and freed by server, so extension must not change them.

Memory for inpAttributes is allocated and freed by server.

Memory for outpAttributes and explainString may be allocated by extension and is freed by server.

Remarks

If any attributes are returned in outpAttributes, flags attribute field must be explicitly set to 0 or any appropriate value. If F_ECHO value is specified for an attribute, value for this attribute is taken from an attribute with the same type from request packet, if found, or from RequestMatch attribute with the same type and F_DEFAULT flag set. See RADIUS authorization for details.

Example Code

This code rejects user if he requests service other than Framed. If no Service-Type is specified in request packet, extension adds this service to response packet. Additionally it instructs NAS to limit user's session by 3600 seconds.

STDMETHODIMP CTest::GetResponseAttributes(
	long tag, USERINFOLITE * userInf,
	unsigned long attrNumIn, RADIUS_ATTRIBUTE * inpAttributes,
	unsigned long * attrNumOut, RADIUS_ATTRIBUTE * * outpAttributes,
	BSTR * explainString, RADAUTHENREPLY * replyType)
{
	bool framed=false;
	bool serviceFound=false;
	*replyType=ACCESS_ACCEPT;
	for (int i=0;i<attrNumIn;i++)
	{
		if (inpAttributes[i].type==6) // "Service-Type" attribute
		{
			serviceFound=true;
			if (inpAttributes[i].dwValue==2) // "Framed" value
				framed=true;
			break;
		}
	}
	if (!serviceFound)
	{
		*outpAttributes=reinterpret_cast<RADIUS_ATTRIBUTE*>(
			CoTaskMemAlloc(sizeof(RADIUS_ATTRIBUTE)));
	
		(*outpAttributes)[0].type=6; // "Service-Type" attribute
		(*outpAttributes)[0].valType=RADINT;
		(*outpAttributes)[0].dwValue=2; //"Framed" value
		(*outpAttributes)[0].flags=0;

		framed=true;
	}
	else
	{
		if (!framed)
			*replyType=ACCESS_REJECT;
	}
	
	if (framed)
	{
		*attrNumOut=1;
		*outpAttributes=reinterpret_cast<RADIUS_ATTRIBUTE*>(
			CoTaskMemAlloc(sizeof(RADIUS_ATTRIBUTE)));
	
		(*outpAttributes)[0].type=27; // "Session-Timeout" attribute
		(*outpAttributes)[0].valType=RADINT;
		(*outpAttributes)[0].dwValue=3600;
		(*outpAttributes)[0].flags=0;
	}

	return S_OK;
}