Add T. Howell-Cintron expanded radius attributes patch.

3 files changed, 58 insertions, 19 deletions

diff --git a/usr/local/captiveportal/index.php b/usr/local/captiveportal/index.php
index 497e506..dcff86f 100755
--- a/usr/local/captiveportal/index.php
+++ b/usr/local/captiveportal/index.php
@@ -44,6 +44,7 @@ $orig_host = $_ENV['HTTP_HOST'];
 $orig_request = $_ENV['CAPTIVE_REQPATH'];
 $lockfile = "{$g['varrun_path']}/captiveportal.lock";
 $clientip = $_ENV['REMOTE_ADDR'];
+$portalip = $_ENV['SERVER_ADDR'];
 
 if (!$clientip) {
 	/* not good - bail out */
@@ -57,6 +58,10 @@ if (!$clientmac && !isset($config['captiveportal']['nomacfilter'])) {
 	exit;
 }
 
+/* find MAC address for portal */
+$iflist = get_interface_list();
+$portalmac = $iflist[ $config['interfaces'][$config['captiveportal']['interface']]['if'] ]['mac'];
+
 if ($clientmac && portal_mac_fixed($clientmac)) {
 	/* punch hole in ipfw for pass thru mac addresses */
 	portal_allow($clientip, $clientmac, "unauthenticated");
@@ -66,9 +71,16 @@ if ($clientmac && portal_mac_fixed($clientmac)) {
 	/* authenticate against radius server */
 	$radiusservers = captiveportal_get_radius_servers();
 	
+	/* determine port type */
+	$port_type = 15; // default to ethernet
+	if ($config['interfaces'][ $config['captiveportal']['interface'] ]['wireless']) {
+		$port_type = 19;	// wireless
+	}
+	
 	if ($_POST['auth_user'] && $_POST['auth_pass']) {
 		$auth_val = RADIUS_AUTHENTICATION($_POST['auth_user'],
 										  $_POST['auth_pass'],
+										  $port_type,
 							  			  $radiusservers[0]['ipaddr'],
 							  			  $radiusservers[0]['port'],
 							  			  $radiusservers[0]['key']);
@@ -77,6 +89,10 @@ if ($clientmac && portal_mac_fixed($clientmac)) {
 			if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
 				$auth_val = RADIUS_ACCOUNTING_START($_POST['auth_user'],
 													$sessionid,
+													$port_type,
+													$clientmac,
+													$clientip,
+													$portalmac,
 													$radiusservers[0]['ipaddr'],
 													$radiusservers[0]['acctport'],
 													$radiusservers[0]['key']);
@@ -203,10 +219,16 @@ function portal_allow($clientip,$clientmac,$clientuser) {
 	for ($i = 0; $i < count($cpdb); $i++) {
 		if(!strcasecmp($cpdb[$i][2],$clientip)) {
 			if(isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
+				$port_type = 15; // default to ethernet
+				if (isset($config['interfaces'][ $config['captiveportal']['interface'] ]['wireless'])) {
+					$port_type = 19; // wireless
+				}
+			
 				RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno
 									   $cpdb[$i][4], // username
 									   $cpdb[$i][5], // sessionid
 									   $cpdb[$i][0], // start time
+									   $port_type,
 									   $radiusservers[0]['ipaddr'],
 									   $radiusservers[0]['acctport'],
 									   $radiusservers[0]['key']);
@@ -379,10 +401,18 @@ function disconnect_client($sessionid) {
 		if ($cpdb[$i][5] == $sessionid) {
 			/* this client needs to be deleted - remove ipfw rules */
 			if(isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
+
+			/* determine port type */
+			$port_type = 15; // default to ethernet
+			if ($config['interfaces'][ $config['captiveportal']['interface'] ]['wireless']) {
+				$port_type = 19;	// wireless
+			}
+	
 				RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno
 									   $cpdb[$i][4], // username
 									   $cpdb[$i][5], // sessionid
 									   $cpdb[$i][0], // start time
+									   $port_type,
 									   $radiusservers[0]['ipaddr'],
 									   $radiusservers[0]['acctport'],
 									   $radiusservers[0]['key']);
diff --git a/usr/local/captiveportal/radius_accounting.inc b/usr/local/captiveportal/radius_accounting.inc
index 7004971..398af92 100644
--- a/usr/local/captiveportal/radius_accounting.inc
+++ b/usr/local/captiveportal/radius_accounting.inc
@@ -29,7 +29,7 @@
 */
 
 
-function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$radiuskey) {
+function RADIUS_ACCOUNTING_START($username,$sessionid,$port_type,$stationid,$ipaddr,$portalmac,$radiusip,$radiusport,$radiuskey) {
 	$sharedsecret=$radiuskey ;
 	# $debug = 1 ;
 
@@ -58,45 +58,54 @@ function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$rad
 		6+				// nasPortType
 		6+				// Acct Status Type
 		6+				// Acct RADIUS Authenticated
-		2+strlen($sessionid);	// Acct SessionID
+		2+strlen($sessionid)+	// Acct SessionID
+		2+strlen($stationid)+	// Calling-Station-Id
+		2+strlen($portalmac)+	// Called-Station-Id
+		6;				// Framed-IP-Address
 
-	//          v   v   v     v   v   v     v     v     v     1   v
-	// Line #   1   2   3     4   5   6     7     8     9     0   E
-	$data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*",
+	//          v   v   v     v   v   v     v     v     v     1   1   1   v
+	// Line #   1   2   3     4   5   6     7     8     9     0   1   2   E
+	$data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCa*CCa*CCN",
 	    4,$thisidentifier,$length/256,$length%256,		// header
 	    0,0,0,0,						// authcode
 	    6,6,0,0,0,1,					// service type
 	    1,2+strlen($username),$username,			// username
 	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
 	    5,6,0,0,0,0,						// nasPort
-	    61,6,0,0,0,15,						// nasPortType = Ethernet
+	    61,6,0,0,0,$port_type,				// nasPortType
 		40,6,0,0,0,1,						// Acct Status Type = Start
 		45,6,0,0,0,1,						// Acct RADIUS Authenticated
-		44,2+strlen($sessionid),$sessionid	// Acct Session ID
+		44,2+strlen($sessionid),$sessionid,	// Acct Session ID
+		31,2+strlen($stationid),$stationid,	// Calling Station 
+		30,2+strlen($portalmac),$portalmac,	// Called Station
+		8,6,ip2long($ipaddr)				// Framed-IP-Address
 	    );
 
 	/* Generate Accounting Request Authenticator */
 	$RA = md5($data.$radiuskey) ;
 
-	//          v   v v     v   v   v     v     v     v     1   v
-	// Line #   1   2 3     4   5   6     7     8     9     0   E
-	$data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*",
+	//          v   v v     v   v   v     v     v     v     1   1   1   v
+	// Line #   1   2 3     4   5   6     7     8     9     0   1   2   E
+	$data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCa*CCa*CCN",
 	    4,$thisidentifier,$length/256,$length%256,		// header
 	    $RA,						// authcode
 	    6,6,0,0,0,1,					// service type
 	    1,2+strlen($username),$username,			// username
 	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
 	    5,6,0,0,0,0,						// nasPort
-	    61,6,0,0,0,15,						// nasPortType = Ethernet
+	    61,6,0,0,0,$port_type,				// nasPortType
 		40,6,0,0,0,1,						// Acct Status Type = Start
 		45,6,0,0,0,1,						// Acct RADIUS Authenticated
-		44,2+strlen($sessionid),$sessionid	// Acct Session ID
+		44,2+strlen($sessionid),$sessionid,	// Acct Session ID
+		31,2+strlen($stationid),$stationid,	// Calling Station
+		30,2+strlen($portalmac),$portalmac,	// Called Station
+		8,6,ip2long($ipaddr)				// Framed-IP-Address
 	    );
 
 	if($debug) {
 		echo "username is $username with len " . strlen($username) ."\n" ;
 		echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ;
-	}	
+	}
 
 	$ret = fwrite($fd,$data) ;
 	if( !$ret || ($ret != $length) ) 
@@ -119,13 +128,13 @@ function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$rad
 	// See RFC2866 for this.
 }
 
-function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey) {
+function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$port_type,$radiusip,$radiusport,$radiuskey) {
 	$sharedsecret=$radiuskey ;
 	# $debug = 1 ;
 
 	exec("/bin/hostname", $nasHostname) ;
 	if(!$nasHostname[0])
-		$nasHostname[0] = "quewall" ;
+		$nasHostname[0] = "m0n0wall" ;
 
 	$input_pkts = $input_bytes = $output_pkts = $output_bytes = 0 ;
 
@@ -177,7 +186,7 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius
 	    1,2+strlen($username),$username,			// username
 	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
 	    5,6,0,0,0,0,						// nasPort
-	    61,6,0,0,0,15,						// nasPortType = Ethernet
+	    61,6,0,0,0,$port_type,				// nasPortType
 		40,6,0,0,0,2,						// Acct Status Type = Stop
 		45,6,0,0,0,1,						// Acct RADIUS Authenticated
 		44,2+strlen($sessionid),$sessionid,	// Acct Session ID
@@ -201,7 +210,7 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius
 	    1,2+strlen($username),$username,			// username
 	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
 	    5,6,0,0,0,0,						// nasPort
-	    61,6,0,0,0,15,						// nasPortType = Ethernet
+	    61,6,0,0,0,$port_type,				// nasPortType
 		40,6,0,0,0,2,						// Acct Status Type = Stop
 		45,6,0,0,0,1,						// Acct RADIUS Authenticated
 		44,2+strlen($sessionid),$sessionid,	// Acct Session ID
diff --git a/usr/local/captiveportal/radius_authentication.inc b/usr/local/captiveportal/radius_authentication.inc
index c106da3..10a2009 100644
--- a/usr/local/captiveportal/radius_authentication.inc
+++ b/usr/local/captiveportal/radius_authentication.inc
@@ -28,7 +28,7 @@
 	// was also fixed and patches submitted to Edwin. This bug would
 	// have caused authentication to fail on every access.
 
-function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiuskey) {
+function RADIUS_AUTHENTICATION($username,$password,$port_type,$radiusip,$radiusport,$radiuskey) {
 	$sharedsecret=$radiuskey ;
 	# $debug = 1 ;
 
@@ -74,7 +74,7 @@ function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radius
 	    2,2+strlen($encryptedpassword),$encryptedpassword,	// userpassword
 	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
 	    5,6,0,0,0,0,						// nasPort
-	    61,6,0,0,0,15						// nasPortType = Ethernet
+	    61,6,0,0,0,$port_type				// nasPortType
 	    );
 
 	if($debug) {