Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
WIN2008 R2 NPS BEHAVIOR
49 views
Skip to first unread message
hel...@live.fr
Mar 3, 2015, 7:36:24 AM3/3/15
to
Hi,
I'm in charge to develop an extension dll for NPS that runs on WIN2008 R2.
The purpose is to totally bypass Windows user or AD authentication and perform my own authentication rules.
NPS keeps the authorization strategy.
With help of sample mapname shipped with Windows SDK, I tried to make a simple dll that expose the function RadiusExtensionProcess2.
This function only define de status of responseType to rcAccessAccept and should accept all authentication whatever the specified username and password.
But NPS still refer to Windows users to authenticate !
After some google search, I found that NPS has 3 authentication methods and I should use "Accept users without validating credentials". (This setting is a little sensitive...)
Then I use a radius test client to Perform a request.
I can see that the request is accepted but NPS strategy don't assign authorization to the response !
I precise if I use Windows user authentication, NPS assign correctly authorization.
Has someone see this behavior ? Is it normal ?
Do I make something wrong in my function ?
Here is the code I use for the function RadiusExtensionProcess2 :
DWORD
WINAPI
RadiusExtensionProcess2(PRADIUS_EXTENSION_CONTROL_BLOCK pECB)
{
DWORD dwResult;
/* We only process authentication. */
if (pECB->repPoint != repAuthentication)
{
return NO_ERROR;
}
/* We only process Access-Requests. */
if (pECB->rcRequestType != rcAccessRequest)
{
return NO_ERROR;
}
/* Don't process if it's already been rejected. */
if (pECB->rcResponseType == rcAccessReject)
{
return NO_ERROR;
}
dwResult = pECB->SetResponseType(pECB, rcAccessAccept);
pECB->rcResponseType = rcAccessAccept;
return NO_ERROR;
}
I'm in charge to develop an extension dll for NPS that runs on WIN2008 R2.
The purpose is to totally bypass Windows user or AD authentication and perform my own authentication rules.
NPS keeps the authorization strategy.
With help of sample mapname shipped with Windows SDK, I tried to make a simple dll that expose the function RadiusExtensionProcess2.
This function only define de status of responseType to rcAccessAccept and should accept all authentication whatever the specified username and password.
But NPS still refer to Windows users to authenticate !
After some google search, I found that NPS has 3 authentication methods and I should use "Accept users without validating credentials". (This setting is a little sensitive...)
Then I use a radius test client to Perform a request.
I can see that the request is accepted but NPS strategy don't assign authorization to the response !
I precise if I use Windows user authentication, NPS assign correctly authorization.
Has someone see this behavior ? Is it normal ?
Do I make something wrong in my function ?
Here is the code I use for the function RadiusExtensionProcess2 :
DWORD
WINAPI
RadiusExtensionProcess2(PRADIUS_EXTENSION_CONTROL_BLOCK pECB)
{
DWORD dwResult;
/* We only process authentication. */
if (pECB->repPoint != repAuthentication)
{
return NO_ERROR;
}
/* We only process Access-Requests. */
if (pECB->rcRequestType != rcAccessRequest)
{
return NO_ERROR;
}
/* Don't process if it's already been rejected. */
if (pECB->rcResponseType == rcAccessReject)
{
return NO_ERROR;
}
dwResult = pECB->SetResponseType(pECB, rcAccessAccept);
pECB->rcResponseType = rcAccessAccept;
return NO_ERROR;
}
0 new messages