AUTH::abort¶
Description¶
Cancels any outstanding auth operations in this authentication
session, and generates an AUTH_FAILURE event if there was an
outstanding authentication query in progress. This command invalidates
the specified authentication session ID, which should be discarded
upon calling this command.
Syntax¶
AUTH::abort authid
AUTH::abort authid¶
- Cancels any outstanding auth operations in this authentication session, and generates an ‘’’AUTH_FAILURE* event if there was an outstanding authentication query in progress. This command invalidates the specified authentication session authentication ID, which should be discarded upon calling this command.
Examples¶
This rule demonstrates one possible implementation of a 2-out-of-3
authentication scheme. 3 auth servers are contacted simultaneously.
The connection is permitted to proceed as soon as 2 servers report
success.
when CLIENT_ACCEPTED {
set auth_http_successes 0
set auth_http_sufficient_successes 2
}
when HTTP_REQUEST {
if {$auth_http_successes >= $auth_http_sufficient_successes} {
return
}
set auth_sid [AUTH::start pam default_ldap]
set auth_http_sids(ldap) $auth_sid
AUTH::username_credential $auth_sid [HTTP::username]
AUTH::password_credential $auth_sid [HTTP::password]
AUTH::authenticate $auth_sid
set auth_sid [AUTH::start pam default_radius]
set auth_http_sids(radius) $auth_sid
AUTH::username_credential $auth_sid [HTTP::username]
AUTH::password_credential $auth_sid [HTTP::password]
AUTH::authenticate $auth_sid
set auth_sid [AUTH::start pam default_tacacs]
set auth_http_sids(tacacs) $auth_sid
AUTH::username_credential $auth_sid [HTTP::username]
AUTH::password_credential $auth_sid [HTTP::password]
AUTH::authenticate $auth_sid
HTTP::collect
set auth_http_collect_count 3
}
when AUTH_RESULT {
if {[array size auth_http_sids] == 0} {
return
}
set auth_sid [AUTH::last_event_session_id]
if {[AUTH::status] == 0} {
incr auth_http_successes
if {$auth_http_successes >= $auth_http_sufficient_successes} {
foreach {type sid} [array get auth_http_sids] {
unset auth_http_sids($type)
if {$sid != -1} {
AUTH::abort $sid
}
}
set auth_http_collect_count 0
HTTP::release
return
}
}
foreach {type sid} [array get auth_http_sids] {
if {$sid == $auth_sid} {
unset auth_http_sids($type)
AUTH::abort $sid
incr auth_http_collect_count -1
if {$auth_http_collect_count == 0} {
HTTP::respond 401
}
break
}
}
}