ClearBox Server™ v1.2 Developer's Guide

ITACACSRealmStripping::TACACSRealmStripAuthen

Called by server to determine whether the request authentication packet will be forwarded and/or to strip user name and realm name from the packet content.

HRESULT TACACSRealmStripAuthen(
	[in] long tag,
	[in,out] TAC_AUTHEN_LITE * authenParams,
	[out] VARIANT_BOOL * forwardPacket,
	[in,out] FORWARDADDRESS * fwdAddress,
	[out] VARIANT_BOOL * nameOK);

Parameters

tag
[in] Unique value identifying TACACS+ packet in whose context this method is called.
authenParams
[in,out] Describes user. If extension wants to change user's name, it must reallocate this field with call to SysReAllocString. If extension is capable of realms stripping, realmName field may be allocated as realm name string with SysAllocString.
forwardPacket
[out] If extension decides to instruct NAS to forward this request, this parameter must be set to VARIANT_TRUE, VARIANT_FALSE to process packet locally.
fwdAddress
[in,out] If extension proxies this request and forwardPacket is set to VARIANT_TRUE, proxyIPAddress field of this parameter must be set to host address to which packet should be forwarded.
nameOK
[out] If user name has valid format and/or packet is forwarded, then this must be set to VARIANT_TRUE. Otherwise packet will be rejected.

Return Values

If extension returns error code and username is empty, it is assumed that user didn't passed authentication.

Thread Safety

This method is called in context of WORK thread. (See Server Threads Model for details.) You should synchronize data which is shared with other threads.

Memory Management

Memory for authenParams is allocated and freed by server. realmName field has NULL value and may be allocated by extension with call to SysAllocString. If extension changes name field, it must reallocate memory for it with SysReAllocString.

Remarks

Server can forward TACACS+ packets via FOLLOW response only. In this case server instructs NAS (TACACS+ client) to resend packet to specified alternate TACACS+ server, and NAS is responsible for packet forwarding.

Example Code

This code makes NAS forward this packet to 92.168.2.100 host if user's address is 324523, otherwise it assigns "Default" realm.

STDMETHODIMP CTest::TACACSRealmStripAuthen(
	long tag, TAC_AUTHEN_LITE * authenParams,
	VARIANT_BOOL * forwardPacket, FORWARDADDRESS * fwdAddress,
	VARIANT_BOOL * nameOK)
{
	*forwardPacket=VARIANT_FALSE;
	*nameOK=VARIANT_TRUE;
	if (wcscmp(authenParams->remote_address,L"3245235")==0)
	{
		*forwardPacket=VARIANT_TRUE;
		fwdAddress->proxyIPAddress=inet_addr("192.168.2.100");
		// Other fields are not used with TACACS+
	}
	else
		authenParams->realmName=SysAllocString(L"Default");

	return S_OK;
}

See Also

ITACACSRealmStripping, Realms and packet forwarding, TACACS+ realm stripping and forwarding process


© 2001-2003 XPerience Technologies. www.xperiencetech.com

Created by chm2web html help conversion utility.