Halting IAS Auth when using RadiusExtensionProcess2
- From: "Tony" <bogus@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 2 May 2005 15:16:48 -0400
I just ran into this issue while implementing an external authentication
database using RadiusExtensionProcess2.
We have a single IAS extension dll which implements RadiusExtensionProcess2
at both the Auth and AuthZ callouts (to provide external non-AD LDAP
authentication and authorization). If, at the Auth callout, we
SetResponseType to rcAccessAccept, it seems as though IAS's "normal"
authentication process sill occurs. This results in the ResponseType being
reset to rcAccessReject, as the user doesn't exists in AD.
The legacy IAS API (RadiusExtensionProcess/Ex) allowed us to set pfAction to
raAccept which would halt future authentication methods, but the new
RadiusExtensionProcess2 does not support pfAction. After reading the PSDK
help, it does seem as though this is "by-design"; however, you don't provide
a means to over come this scenario. You hint at using ratProvider, but the
stated "solution" appears to lacking a few details.
Any ideas how we halt future authentication methods using
RadiusExtensionProcess2? Maybe there is something we can do with the
ratProvider? Unfortunately, I can't change the ratProvider value in the
Request attribute array. I tried dropping and adding a new ratProvider in
the Request attribute array with some other value, such as rapUnknown, but
without success (the call to InsertAt fails). Using SetAt fails as well
(ERROR_ACCESS_DENIED). Which means (unless I'm doing proxy), ratProvider is
always set to rapWindowsNT. Maybe if I could set it to rapODBC, or
rapNone??. There isn't a rapExternalLDAP, so I'm not sure what to set it
to, even if I could change it. If it is possible for an extension dll to
modify the rapProvider, how can I do it?
Assuming I change the ratProvider, or do some other type of hack (like
setting private value in ratExtensionState), is there some means to stop IAS
from performing its own authentication? Or does changing the ratProvider to
something other than rapWindowsNT cause that to happen?
--
Tony
.
- Prev by Date: Adding Radius Clients automatically at MS IAS
- Next by Date: Re: IAS EAP (PEAP)
- Previous by thread: Adding Radius Clients automatically at MS IAS
- Next by thread: Re: IAS EAP (PEAP)
- Index(es):
