ClearBox Server v1.2 Developer's Guide |
RADIUS Authentication Packet ProcessingThis article gives an explanation of how ClearBox Server processes RADIUS authentication request packets. Read more about authentication and authorization concepts, RADIUS concepts. First, server finds User-Name attribute in the request packet. If it is found, it's treated as actual user name. If it's not present, then EAP-Message attribute is looked for. If it is in the request packet and has EAP/Identity response, then this identity is treated as user name. Then server checks if user name matches "auto-reject" user name (is set by Server Manager in server configuration and is used to track server's state), and if they are equal, user is rejected without any further packet processing. Next, server tries to make custom packet processing if IRADIUSProcessor interface is supported by server extension. If interface is not implemented, this step is skipped.
Original user name from the request packet is stored now for later use. Next, "packet history" is checked. This means that this packet may be a response to a previously issued Challenge-Response packet. If the packet is first Access-Request packet in the authentication session or EAP/Identity response was received, realm stripping is performed if IRADIUSRealmStripping interface is supported by server extension:
If user name is empty at this point:
RADIUS authentication is performed then. If user has passed authentication, RADIUS authorization is performed. If user was accepted, user name was changed (original user name stored earlier is compared with the new user name returned by IRADIUSRealmStripping::RADIUSRealmStrip) and this method instructed server to return changed name, new user name is included in response accept packet. Finally, IRADIUSProcessor::PostProcessPacket is called if IRADIUSProcessor is implemented. It may make any changes to the packet formed by server.
© 2001-2003 XPerience Technologies. www.xperiencetech.com |
Created by chm2web html help conversion utility. |