summaryrefslogtreecommitdiffstats
path: root/src/usr/local/captiveportal/radius_authentication.inc
diff options
context:
space:
mode:
authorRenato Botelho <renato@netgate.com>2015-08-25 08:08:24 -0300
committerRenato Botelho <renato@netgate.com>2015-08-25 14:49:54 -0300
commit46bc6e545a17e77202aaf01ec0cd8d5a46567525 (patch)
tree32d18dda436ec739c67c489ceb771e8629cd926f /src/usr/local/captiveportal/radius_authentication.inc
parent4d9801c2dbd2b3e54a39578ee62b93af66607227 (diff)
downloadpfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.zip
pfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.tar.gz
Move main pfSense content to src/
Diffstat (limited to 'src/usr/local/captiveportal/radius_authentication.inc')
-rw-r--r--src/usr/local/captiveportal/radius_authentication.inc189
1 files changed, 189 insertions, 0 deletions
diff --git a/src/usr/local/captiveportal/radius_authentication.inc b/src/usr/local/captiveportal/radius_authentication.inc
new file mode 100644
index 0000000..9938e24
--- /dev/null
+++ b/src/usr/local/captiveportal/radius_authentication.inc
@@ -0,0 +1,189 @@
+<?php
+/* vim: set expandtab tabstop=4 shiftwidth=4: */
+/*
+ $Id$
+
+ Copyright (c) 2006, Jonathan De Graeve <jonathan.de.graeve@imelda.be>
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The names of the authors may not be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ This code cannot simply be copied and put under the GNU Public License or
+ any other GPL-like (LGPL, GPL2) License.
+
+ This code is made possible thx to samples made by Michael Bretterklieber <michael@bretterklieber.com>
+ author of the PHP PECL Radius package
+
+*/
+
+/*
+ pfSense_MODULE: captiveportal
+*/
+
+/*
+RADIUS AUTHENTICATION
+---------------------
+*/
+
+require_once("CHAP.inc");
+
+function RADIUS_AUTHENTICATION($username,$password,$radiusservers,$clientip,$clientmac,$ruleno) {
+
+ global $config, $cpzone;
+
+ $retvalue = array();
+ $clientmac = mac_format($clientmac);
+ $nas_port = $ruleno;
+ $radiusvendor = $config['captiveportal'][$cpzone]['radiusvendor'] ? $config['captiveportal'][$cpzone]['radiusvendor'] : null;
+ $radius_protocol = $config['captiveportal'][$cpzone]['radius_protocol'];
+ // Do we even need to set it to NULL?
+ $retvalue['error'] = $retvalue['reply_message'] = $retvalue['url_redirection'] = $retvalue['session_timeout'] = null;
+ $retvalue['idle_timeout'] = $retvalue['session_terminate_time'] = $retvalue['interim_interval'] = null;
+
+ switch($radiusvendor) {
+
+ case 'cisco':
+ $calledstationid = $clientmac;
+ $callingstationid = $clientip;
+ break;
+ default:
+ if (!function_exists('getNasIP'))
+ require_once("captiveportal.inc");
+ $calledstationid = getNasIP();
+ $callingstationid = $clientmac;
+ break;
+ }
+
+ // Create our instance
+ $classname = 'Auth_RADIUS_' . $radius_protocol;
+ $rauth = new $classname($username, $password);
+
+ /*
+ * Add support for more then one radiusserver.
+ * At most 10 servers may be specified.
+ * When multiple servers are given, they are tried in round-robin fashion until a valid response is received
+ */
+ foreach ($radiusservers as $radsrv) {
+ // Add a new server to our instance
+ $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['key']);
+
+ }
+
+ // Construct data package
+ $rauth->username = $username;
+ switch ($radius_protocol) {
+ case 'CHAP_MD5':
+ case 'MSCHAPv1':
+ $classname = $radius_protocol == 'MSCHAPv1' ? 'Crypt_CHAP_MSv1' : 'Crypt_CHAP_MD5';
+ $crpt = new $classname;
+ $crpt->username = $username;
+ $crpt->password = $password;
+ $rauth->challenge = $crpt->challenge;
+ $rauth->chapid = $crpt->chapid;
+ $rauth->response = $crpt->challengeResponse();
+ $rauth->flags = 1;
+ // If you must use deprecated and weak LAN-Manager-Responses use this:
+ //$rauth->lmResponse = $crpt->lmChallengeResponse();
+ //$rauth->flags = 0;
+ break;
+
+ case 'MSCHAPv2':
+ // Construct data package
+ $crpt = new Crypt_CHAP_MSv2;
+ $crpt->username = $username;
+ $crpt->password = $password;
+ $rauth->challenge = $crpt->authChallenge;
+ $rauth->peerChallenge = $crpt->peerChallenge;
+ $rauth->chapid = $crpt->chapid;
+ $rauth->response = $crpt->challengeResponse();
+ break;
+
+ default:
+ $rauth->password = $password;
+ break;
+ }
+
+ if (PEAR::isError($rauth->start())) {
+ $retvalue['auth_val'] = 1;
+ $retvalue['error'] = $rauth->getError();
+
+ // If we encounter an error immediately stop this function and go back
+ $rauth->close();
+ return $retvalue;
+ }
+
+ // Default attributes
+ $rauth->putAttribute(RADIUS_SERVICE_TYPE, RADIUS_LOGIN);
+ $rauth->putAttribute(RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET);
+ $rauth->putAttribute(RADIUS_NAS_PORT, $nas_port, 'integer');
+
+ // Extra data to identify the client and nas
+ $rauth->putAttribute(RADIUS_FRAMED_IP_ADDRESS, $clientip, addr);
+ $rauth->putAttribute(RADIUS_CALLED_STATION_ID, $calledstationid);
+ $rauth->putAttribute(RADIUS_CALLING_STATION_ID, $callingstationid);
+
+ // Send request
+ $result = $rauth->send();
+
+ // Evaluation of the response
+ // 1 -> Access-Request => We will use this value as an error indicator since we can't get a 1 back from the radius
+ // 2 -> Access-Accept
+ // 3 -> Access-Reject
+ // See RFC2865 for this.
+ if (PEAR::isError($result)) {
+ $retvalue['auth_val'] = 1;
+ $retvalue['error'] = $result->getMessage();
+
+ } else if ($result === true) {
+ $retvalue['auth_val'] = 2;
+
+ } else {
+ $retvalue['auth_val'] = 3;
+
+ }
+
+ // Get attributes, even if auth failed.
+ // We will push the results in the retvalue array
+ if (!$rauth->getAttributes()) {
+ $retvalue['error'] = $rauth->getError();
+
+ } else {
+ $retvalue = array_merge($retvalue,$rauth->listAttributes());
+
+ // We convert the session_terminate_time to unixtimestamp if its set before returning the whole array to our caller
+ if (!empty($retvalue['session_terminate_time'])) {
+ $stt = &$retvalue['session_terminate_time'];
+ $stt = strtotime(preg_replace("/\+(\d+):(\d+)$/", " +\${1}\${2}", preg_replace("/(\d+)T(\d+)/", "\${1} \${2}",$stt)));
+ }
+ }
+
+ // close OO RADIUS_AUTHENTICATION
+ $rauth->close();
+ unset($rauth);
+
+ return $retvalue;
+
+}
+
+?>
OpenPOWER on IntegriCloud