I'm no RADIUS expert either. But when I wrote a Windows PAC module, that does more or less the same thing (insert some attributes), I just added a postauth method.
I needed to do the following because it's not possible to propagate fragmented attributes outside the inner tunnel by configuration alone. Hopefully this excerpt is explanatory.
static OM_uint32
copy_pac(OM_uint32 *minor, gss_name_t source_name, REQUEST *request)
{
OM_uint32 major, tmp_minor;
gss_buffer_desc attr = { PAC_ATTR_LEN, (char *)PAC_ATTR };
int authenticated = 0, complete = 0, more = -1;
gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
gss_buffer_desc display_value = GSS_C_EMPTY_BUFFER;
major = gss_get_name_attribute(minor, source_name,
&attr, &authenticated, &complete,
&value, &display_value, &more);
if (GSS_ERROR(major))
return major;
if (authenticated && complete) {
RADIUS_PACKET *reply;
if (request->parent != NULL)
reply = request->parent->reply;
else
reply = request->reply;
major = attr_to_avp(minor, &reply->vps, PW_MS_WINDOWS_AUTH_DATA,
VENDORPEC_UKERNA, &value);
} else {
major = GSS_S_UNAVAILABLE;
}
gss_release_buffer(&tmp_minor, &value);
gss_release_buffer(&tmp_minor, &display_value);
return major;
}
-- Luke
On 01/06/2011, at 8:00 AM, Roland Hedberg wrote:
> Hi again,
>
> Also which functions/methods are necessary to implement ?
>
> Sorry if the answers to my questions are obvious to some, the only thing I know about Radius is what I've read in the RFC's.
> So, please bare with me !
>
> -- Roland
> ------------------------------------------------------
> Roland Hedberg
> IT Architect
> ICT Services and System Development (ITS)
> Umeå University
> SE-901 87 Umeå, Sweden
> Phone +46 90 786 68 44
> Mobile +46 70 696 68 44
> www.its.umu.se
|