The processing of a request depends on the following four pieces of information:
- The data associated with the request,
- the contents of the individual processing section, ⇒ The contents of the request processing section are Unlang statements
- an action table associated with each processing section, and
- the processing of the algorithm itself.
请求类型 | Request
request | Contains attributes that were received in the request
reply | Contains the attributes that will be sent in any reply
control | Contains “internal” attributes that are used by the server as a temporary storage area. None of these attributes are sent in a request or reply
proxy-request | Contains the attributes that are sent in any proxied request. Its contents are taken from the “request” list before any proxying is performed
proxy-reply | Contains the attributes that have been received from a home server and is used to re-initialize the “reply” list
coa | Valid only for Access-Request and Accounting-Request packets. Used to create a CoA-Request packet that is sent to the NAS. The word “disconnect” can be used instead, causing the server to send a Disconnect-Request packet to the NAS
coa-reply | Valid only for Access-Request and Accounting-Request packets. Used when receiving a CoA-ACK or CoA-NAK packet after sending a CoA-Request packet to the NAS. The word “disconnect-reply” can be used instead, referring to the attributes in any reply to a Disconnect-Request packet.
处理顺序 | Processing Section
authorize | Access-Request packets are processed through the authorize section in order to obtain “known good” passwords prior to authentication.
session |
authenticate | Access-Request packets are processed through the authenticate section, where a module implements a particular authentication method.
post-auth | Access-Request packets are processed through the post-auth section before a reply is sent to the NAS.
preacct | Accounting-Request packets are processed through the preacct section to normalize them prior to accounting being performed.
accounting | Accounting-Request packets are processed through the accounting section to perform accounting logging to files, SQL, and other accounting functions.
pre-proxy | All packets are processed through the pre-proxy section prior to being sent to a home server.
post-proxy | All packets are processed through the post-proxy section after a reply is received from a home server.
recv-coa | CoA-Request and Disconnect-Request packets are processed through the recv-coa section when they are received from an NAS.
send-coa | CoA-Request and Disconnect-Request packets are processed through the recv-coa section before a reply is sent to a NAS.
- The list is processed in order from top to bottom.
- Each processing section is a list of modules to execute or Unlang statements to process.
- In some cases, it is useful to skip parts of the list or to return early from processing a list. For example, if a “reject” is sent because of a policy rule, there is usually no reason to continue to process that list.
并非任意操作都会执行上述所有流程
- Authentication: authorize ⇒ authenticate ⇒ post-auth
- Accounting: preacct ⇒ accounting
- Proxied Authentication: …
- Proxied Accounting: …
- …
返回状态 | Reture Code
When a module is executed, a return code such as “reject”, “noop”, or “ok” is the result. These returns codes control processing of the list.
notfound | information was not found
noop | the module did nothing
ok | the module succeeded
updated | the module updated the request
failthe module failed
reject | the module rejected the request
userlock | the user was locked out
invalid | the configuration was invalid
handled | the module has handled the request itself
注意,在 Process Section 中,如果多个 Module 被执行,则会有多个 Return Code 返回。
动作 | Action
Each processing section has a list of default responses to the various return codes.
类型:noop return continue
针对不同 Reture Code 值,FreeRADIUS 将采取的动作:
default noop
reject return
fail return
ok continue (priority 3)
handled return
invalid return
userlock return
notfound continue (priority 1)
noop continue (priority 2)
updated continue (priority 4)
补充说明,优先级存在的原因是同样是因为 单个 Processing Section 能够执行多个 Module 所以才产生多个返回值。
算法 | Algorithm
FreeRADIUS 按照 Processing Section 顺序,依序执行每个 Processing Section 中的 Module(或 Unlang 代码),并根据 Modulue 的 Return Code 及 Priority 来确定 Action。
根据 Action 来确定是否执行下一个 Processing Section
针对 Authentication 请求,其处理过程
Pre-Authentication
The name of this section is authorize for historical reasons, as earlier versions of the server did not have a post-auth section. A more accurate description of this section would be pre-authentication.
The authorize section processes Access-Request packets by
- normalizing the request,
- determining which authentication method to use,
- and either setting the “known good” password (the valid passwordfound in the database) for the user or informing the server that the request should be proxied.
Once the authorize section has finished processing the packet, the return code for the section is examined by the server.
- If the return code is noop, notfound, ok, or updated, then request processing continues.
- If the return code is handled, then it is presumed that one of the modules set the contents of the reply, and the server sends the reply message. *
- Otherwise, the server treats the authentication as being rejected and runs the post-auth section.
If the authentication has not been rejected, then the server continues processing the request
- by searching for the Auth-Type attribute in the control list. Once the Auth-Type attribute is found, then the named sub-section of authenticate is executed, as described below.
- This functionality is historical and dates back to versions prior to 2.0.0. For versions 2.0.0 and later, we recommend using Unlang policies, which are more flexible and simpler to understand.
NOTE: The authorize section should not be used to set attributes in a reply. Although this practice is wide-spread and is in the default configuration for historical reasons, it is not good policy design.The authorize section should be used to define a policy and the post-auth section should be used to set the reply attributes.
Session
The session section is used to perform database lookups when enforcing Simultaneous-Use or double login detection. It is used only for Access-Request packets.
注意,针对 session 部分,其有专用的 Action table 定义,参考文档,以获取详细内容。
Authenticate
he authenticate section is only used when the server is authenticating requests locally and is bypassed completely when proxying.
This section is different from each of the other sections:
- it is composed of a series of subsections, only one of which is executed.
- The relevant subsection is chosen based on the contents of the Auth-Type attribute found in the control list. The Auth-Type attribute can also refer to a module (e.g. eap) instead of a subsection, in which case that module, and only that module, is processed. The Auth-Type subsection may contain a series of Unlang statements, which is useful when modifying the results of authentication.
注意,针对 Authenticate 部分,其有专用的 Action table 定义,参考文档,以获取详细内容。
Post-Auth
The post-auth section contains policies that are applied after the authentication process either succeeds or fails (is rejected).
When authentication succeeds, the contents of the post-auth section are processed, along with any other relevant section.
When authentication fails, the server looks for a subsection called Post-Auth-Type Reject,
- which, if found, executes only the statements that are found within that section.
- If no such subsection exists, then no post-auth processing takes place.
NOTE: To update any reply attributes, it is recommended to only use the post-auth section, although this may be difficult. Many modules provide reply attributes only in their authorize method. That method can be called from the post-auth section by using the Module-name.authorize syntax (e.g.,
sql.authorize).
针对 Accounting 请求,其处理过程
针对我们的场景,暂时不涉及相关内容,所以暂时跳过。
参考 SDL_FreeRADIUS_Tech_Guide_5_Feb.recover.fm 文档,以获得相关说明。
针对 Proxied Authentication 请求,其处理过程
针对我们的场景,暂时不涉及相关内容,所以暂时跳过。
参考 SDL_FreeRADIUS_Tech_Guide_5_Feb.recover.fm 文档,以获得相关说明。
针对 Proxied Accounting 请求,其处理过程
针对我们的场景,暂时不涉及相关内容,所以暂时跳过。
参考 SDL_FreeRADIUS_Tech_Guide_5_Feb.recover.fm 文档,以获得相关说明。
针对 Change of Authorization 请求,其处理过程
针对我们的场景,暂时不涉及相关内容,所以暂时跳过。
参考 SDL_FreeRADIUS_Tech_Guide_5_Feb.recover.fm 文档,以获得相关说明。