From: Arran Cudbard-Bell Date: Mon, 26 Sep 2011 20:01:04 +0000 (+0200) Subject: Add EAP-Failure if EAP is called in Post-Auth REJECT and no EAP-Message has been... X-Git-Tag: release_3_0_0_beta0~621 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7314a0fc2fc21f9ef72444fa9429a562784bbb9a;p=thirdparty%2Ffreeradius-server.git Add EAP-Failure if EAP is called in Post-Auth REJECT and no EAP-Message has been inserted --- diff --git a/raddb/sites-available/default b/raddb/sites-available/default index 20c72ac64b3..281f04a5a80 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -575,6 +575,10 @@ post-auth { # sql attr_filter.access_reject + # Insert EAP-Failure message if the request was rejected by policy + # instead of because of an authentication failure + eap + # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap } diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index 15ac53ecfbe..56c34a18372 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -464,6 +464,7 @@ VALUE Session-Type Local 0 # # And Post-Auth VALUE Post-Auth-Type Local 0 +VALUE Post-Auth-Type Reject 1 # # Experimental Non-Protocol Integer Translations for FreeRADIUS diff --git a/src/include/radius.h b/src/include/radius.h index 3d9c221af85..66f4331f5ed 100644 --- a/src/include/radius.h +++ b/src/include/radius.h @@ -291,6 +291,10 @@ #define PW_AUTHTYPE_ACCEPT 254 #define PW_AUTHTYPE_MS_CHAP 1028 +/* Post-auth types */ +#define PW_POSTAUTHTYPE_LOCAL 0 +#define PW_POSTAUTHTYPE_REJECT 1 + /* Port Types */ #define PW_NAS_PORT_ASYNC 0 diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c index c91bd0ee53a..4dbbf8dc15a 100644 --- a/src/modules/rlm_eap/rlm_eap.c +++ b/src/modules/rlm_eap/rlm_eap.c @@ -731,6 +731,49 @@ static int eap_post_proxy(void *inst, REQUEST *request) } #endif +static int eap_post_auth(void *instance, REQUEST *request) +{ + rlm_eap_t *inst = instance; + VALUE_PAIR *vp; + EAP_HANDLER *handler; + eap_packet_t *eap_packet; + + /* + * Only build a failure message if something previously rejected the request + */ + vp = pairfind(request->config_items, PW_POSTAUTHTYPE, 0); + + if (!vp || (vp->vp_integer != PW_POSTAUTHTYPE_REJECT)) return RLM_MODULE_NOOP; + + if (!pairfind(request->packet->vps, PW_EAP_MESSAGE, 0)) { + RDEBUG2("Request didn't contain an EAP-Message, not inserting EAP-Failure"); + return RLM_MODULE_NOOP; + } + + if (pairfind(request->reply->vps, PW_EAP_MESSAGE, 0)) { + RDEBUG2("Reply already contained an EAP-Message, not inserting EAP-Failure"); + return RLM_MODULE_NOOP; + } + + eap_packet = eap_vp2packet(request->packet->vps); + if (eap_packet == NULL) { + radlog_request(L_ERR, 0, request, "Malformed EAP Message"); + return RLM_MODULE_FAIL; + } + + handler = eap_handler(inst, &eap_packet, request); + if (handler == NULL) { + RDEBUG2("Failed to get handler, probably already removed, not inserting EAP-Failure"); + return RLM_MODULE_NOOP; + } + + RDEBUG2("Request was previously rejected, inserting EAP-Failure"); + eap_fail(handler); + eap_handler_free(inst, handler); + + return RLM_MODULE_UPDATED; +} + /* * The module name should be the only globally exported symbol. * That is, everything else should be 'static'. @@ -753,6 +796,6 @@ module_t rlm_eap = { #else NULL, #endif - NULL /* post-auth */ + eap_post_auth /* post-auth */ }, };