[RADIATOR] PostAuthHook with asynchronous modules like AuthDUO

Heikki Vatiainen hvn at open.com.au
Mon Jul 29 13:18:58 UTC 2019 

On 26/07/2019 21.14, Christopher Bongaarts wrote:

> This last point troubles me a bit; it seems like if something happened 
> so the Access-Reject got lost, a user could be granted access when the 
> hook would have denied them.
> 
> I can see a couple ways to work around this:
> 
> - Use a PostProcessingHook instead of PostAuthHook to implement the 
> authorization check.  I *think* it's possible to change the result at 
> that point in the process.

Reply message seems to be passed to the hook, so you could modify it's 
code and attributes suitable for reject.

> - Have AuthDUO (or Handler->handleResult()) call the PostAuthHook a 
> second time; possibly skip the hook if result is IGNORE

This is likely the hardest option to maintain when upgrading Radiator.

> - Do the checks in AuthLDAP2's PostSearchHook

I'd consider using this option first. This keeps the hook that rejects 
based on LDAP close to the LDAP result. To reject requests from this 
hook, something like this could work:

sub {
     my $p = $_[2];     # The request
     my $user = $_[3];  # The user trying to authenticate
     my $entry = $_[4]; # Returned LDAP entry
     my $rp = $_[5];    # The reply

     # If the user must be rejected
     $user->get_check->add_attr('Auth-Type', "Reject:Rejected by 
PostSearchHook");

}

> This message is a sort of combination request for advice on the above 
> approaches (or other suggestions) and suggestion for enhancement that 
> would potentially apply to other async auth methods.

Related to this, work is ongoing to support different types of REST APIs 
so that they work better with configurations like above. In other words, 
they can be stacked similar to synchronous modules, such as LDAP, 
already do. When this is done, DUO support could be implemented on this 
way. This would likely be a new AuthBy to keep old configurations work 
as they are.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list