diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2005-03-14 01:57:46 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2005-03-14 01:57:46 +0000 |
commit | 33f0abb1245ac409fbe9e94884fdd531eb1c42cf (patch) | |
tree | 5711af84a800a704b60b12c0cc02239cc31dbdc9 /usr/local/captiveportal | |
parent | 12ee8fe4a25d6fcda720a171c102f48d9bcceb5c (diff) | |
download | pfsense-33f0abb1245ac409fbe9e94884fdd531eb1c42cf.zip pfsense-33f0abb1245ac409fbe9e94884fdd531eb1c42cf.tar.gz |
Restore 1.2b5's captive portal. 1.2b7 + radius == boom.
Diffstat (limited to 'usr/local/captiveportal')
-rwxr-xr-x | usr/local/captiveportal/index.php | 83 | ||||
-rw-r--r-- | usr/local/captiveportal/radius_accounting.inc | 59 | ||||
-rw-r--r-- | usr/local/captiveportal/radius_authentication.inc | 148 |
3 files changed, 33 insertions, 257 deletions
diff --git a/usr/local/captiveportal/index.php b/usr/local/captiveportal/index.php index 1f35a57..497e506 100755 --- a/usr/local/captiveportal/index.php +++ b/usr/local/captiveportal/index.php @@ -27,10 +27,6 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - This version of index.php has been modified by Rob Parker - <rob.parker@keycom.co.uk>. Changes made are in relation to Per-User Bandwidth - Management based on returned RADIUS attributes, and are (c) 2004 Keycom PLC. */ require("globals.inc"); @@ -63,12 +59,7 @@ if (!$clientmac && !isset($config['captiveportal']['nomacfilter'])) { if ($clientmac && portal_mac_fixed($clientmac)) { /* punch hole in ipfw for pass thru mac addresses */ - // KEYCOM: passthru mac bandwidth control] - if (isset($config['captiveportal']['peruserbw'])) { - portal_allow($clientip, $clientmac, "unauthenticated",$config['captiveportal']['bwauthmacup'],$config['captiveportal']['bwauthmacdn']); - } else { - portal_allow($clientip, $clientmac, "unauthenticated",0,0); - } + portal_allow($clientip, $clientmac, "unauthenticated"); } else if ($_POST['accept'] && file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { @@ -81,23 +72,14 @@ if ($clientmac && portal_mac_fixed($clientmac)) { $radiusservers[0]['ipaddr'], $radiusservers[0]['port'], $radiusservers[0]['key']); - $auth_returns = explode("/", $auth_val); - $auth_val = $auth_returns[0]; - $bw_up = $auth_returns[1]; - $bw_down = $auth_returns[2]; if ($auth_val == 2) { - if (isset($config['captiveportal']['peruserbw'])) { - $sessionid = portal_allow($clientip, $clientmac, $_POST['auth_user'],$bw_up,$bw_down); - } else { - $sessionid = portal_allow($clientip, $clientmac, $_POST['auth_user'],0,0); - } + $sessionid = portal_allow($clientip, $clientmac, $_POST['auth_user']); if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { $auth_val = RADIUS_ACCOUNTING_START($_POST['auth_user'], $sessionid, $radiusservers[0]['ipaddr'], $radiusservers[0]['acctport'], - $radiusservers[0]['key'], - $clientip); + $radiusservers[0]['key']); } } else { readfile("{$g['varetc_path']}/captiveportal-error.html"); @@ -107,20 +89,7 @@ if ($clientmac && portal_mac_fixed($clientmac)) { } } else if ($_POST['accept'] && $clientip) { - //KEYCOM: authorised up and down bandwidth defaults (set from webgui). If not set, use 128/128 - if (isset($config['captiveportal']['peruserbw'])) { - $bw_up=$config['captiveportal']['bwauthipup']; - $bw_down=$config['captiveportal']['bwauthipdn']; - if(!isset($bw_up)) { - $bw_up=128; - } - if(!isset($bw_down)) { - $bw_down=128; - } - portal_allow($clientip, $clientmac, "unauthenticated",$bw_up,$bw_down); - } else { - portal_allow($clientip, $clientmac, "unauthenticated",0,0); - } + portal_allow($clientip, $clientmac, "unauthenticated"); } else if ($_POST['logout_id']) { disconnect_client($_POST['logout_id']); echo <<<EOD @@ -150,7 +119,7 @@ EOD; if (isset($config['captiveportal']['httpslogin'])) $htmltext = str_replace("\$PORTAL_ACTION\$", "https://{$config['captiveportal']['httpsname']}:8001/", $htmltext); else - $htmltext = str_replace("\$PORTAL_ACTION\$", "", $htmltext); + $htmltext = str_replace("\$PORTAL_ACTION\$", "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/", $htmltext); if (preg_match("/redirurl=(.*)/", $orig_request, $matches)) $redirurl = urldecode($matches[1]); @@ -184,7 +153,7 @@ function portal_mac_fixed($clientmac) { return FALSE ; } -function portal_allow($clientip,$clientmac,$clientuser,$bw_up,$bw_down) { +function portal_allow($clientip,$clientmac,$clientuser) { global $orig_host, $orig_request, $g, $config; @@ -206,26 +175,6 @@ function portal_allow($clientip,$clientmac,$clientuser,$bw_up,$bw_down) { /* add ipfw rules for layer 3 */ exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any in"); exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip out"); - - /* KEYCOM: add ipfw rules for dummynet based on bw_up and bw_down */ - //we're just copying them by adding on some and hoping no collision will occur - //2000 users would be expecting a bit much from a WAP ;) - - //we're using fixed rule numbers which are 'a step above' the m0n0 ones - //this makes sure we always know where our rules are, and taht they are deleted when m0n0's are - //they're set so they shouldn't hit anything important, and also so they are in roughly the right position in the fw. - - //of course, we only need to do this if it's enabled in the config - if (isset($config['captiveportal']['peruserbw'])) { - $up_rule_number = $ruleno + 40500; - $down_rule_number = $ruleno + 45500; - $lanif = $config['interfaces']['lan']['if']; - exec("/sbin/ipfw add $up_rule_number set 4 pipe $up_rule_number ip from $clientip to any via $lanif"); - exec("/sbin/ipfw add $down_rule_number set 4 pipe $down_rule_number ip from any to $clientip via $lanif"); - exec("/sbin/ipfw pipe $up_rule_number config bw " . trim($bw_up) . "Kbit/s queue 10"); - exec("/sbin/ipfw pipe $down_rule_number config bw " . trim($bw_down) . "Kbit/s queue 10"); - } - /* done */ /* add ipfw rules for layer 2 */ if (!isset($config['captiveportal']['nomacfilter'])) { @@ -260,17 +209,9 @@ function portal_allow($clientip,$clientmac,$clientuser,$bw_up,$bw_down) { $cpdb[$i][0], // start time $radiusservers[0]['ipaddr'], $radiusservers[0]['acctport'], - $radiusservers[0]['key'], - $clientip); - } - //KEYCOM: we need to delete +40500 and +45500 as well... - //these are the rule numbers we use to control traffic shaping for each logged in user via captive portal - mwexec("/sbin/ipfw delete " . $cpdb[$i][1]); - //we only need to remove our rules if peruserbw is turned on. - if(isset($config['captiveportal']['peruserbw'])) { - mwexec("/sbin/ipfw delete " . ($cpdb[$i][1]+40500)); - mwexec("/sbin/ipfw delete " . ($cpdb[$i][1]+45500)); + $radiusservers[0]['key']); } + mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000)); unset($cpdb[$i]); break; } @@ -444,15 +385,9 @@ function disconnect_client($sessionid) { $cpdb[$i][0], // start time $radiusservers[0]['ipaddr'], $radiusservers[0]['acctport'], - $radiusservers[0]['key'], - $clientip); + $radiusservers[0]['key']); } - //again we need to remve +40500 and +45500 as well, if they exist mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000)); - if(isset($config['captiveportal']['peruserbw'])) { - mwexec("/sbin/ipfw delete " . ($cpdb[$i][1]+40500)); - mwexec("/sbin/ipfw delete " . ($cpdb[$i][1]+45500)); - } unset($cpdb[$i]); break; } diff --git a/usr/local/captiveportal/radius_accounting.inc b/usr/local/captiveportal/radius_accounting.inc index 1aac92d..7004971 100644 --- a/usr/local/captiveportal/radius_accounting.inc +++ b/usr/local/captiveportal/radius_accounting.inc @@ -26,16 +26,10 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - // This version of radius_accounting.inc has been modified by - // Rob Parker <rob.parker@keycom.co.uk>. Changes made include: - // * now sends Framed-IP-Address (client IP) - // * now sends Called-Station-ID (NAS IP) - // * now sends Calling-Station-ID (client IP) */ -function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$radiuskey,$clientip) { +function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$radiuskey) { $sharedsecret=$radiuskey ; # $debug = 1 ; @@ -50,14 +44,6 @@ function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$rad /* set 5 second timeout on socket i/o */ stream_set_timeout($fd, 5) ; - $nas_ip_address=get_current_wan_address(); - - if(!isset($clientip)) { - //if there's no client ip, we'll need to use the NAS ip - $clientip=get_current_wan_address(); - } - $ip_exp=explode(".",$clientip); - if ($debug) echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n"; @@ -72,12 +58,11 @@ function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$rad 6+ // nasPortType 6+ // Acct Status Type 6+ // Acct RADIUS Authenticated - 2+strlen($sessionid)+ // Acct SessionID - 6; // Framed-IP-Address + 2+strlen($sessionid); // Acct SessionID // v v v v v v v v v 1 v // Line # 1 2 3 4 5 6 7 8 9 0 E - $data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCCCCC", + $data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*", 4,$thisidentifier,$length/256,$length%256, // header 0,0,0,0, // authcode 6,6,0,0,0,1, // service type @@ -87,8 +72,7 @@ function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$rad 61,6,0,0,0,15, // nasPortType = Ethernet 40,6,0,0,0,1, // Acct Status Type = Start 45,6,0,0,0,1, // Acct RADIUS Authenticated - 44,2+strlen($sessionid),$sessionid, // Acct Session ID - 8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3] //Framed-IP-Address + 44,2+strlen($sessionid),$sessionid // Acct Session ID ); /* Generate Accounting Request Authenticator */ @@ -96,7 +80,7 @@ function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$rad // v v v v v v v v v 1 v // Line # 1 2 3 4 5 6 7 8 9 0 E - $data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCCCCC", + $data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*", 4,$thisidentifier,$length/256,$length%256, // header $RA, // authcode 6,6,0,0,0,1, // service type @@ -106,8 +90,7 @@ function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$rad 61,6,0,0,0,15, // nasPortType = Ethernet 40,6,0,0,0,1, // Acct Status Type = Start 45,6,0,0,0,1, // Acct RADIUS Authenticated - 44,2+strlen($sessionid),$sessionid, // Acct Session ID - 8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3] //Framed-IP-Address + 44,2+strlen($sessionid),$sessionid // Acct Session ID ); if($debug) { @@ -131,14 +114,12 @@ function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$rad else $retvalue = ord($readdata) ; - syslog(LOG_INFO,"Sent Accounting-Request Start packet to RADIUS for $username"); - return $retvalue ; // 5 -> Accounting-Response // See RFC2866 for this. } -function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey,$clientip) { +function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey) { $sharedsecret=$radiuskey ; # $debug = 1 ; @@ -165,14 +146,6 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius /* set 5 second timeout on socket i/o */ stream_set_timeout($fd, 5) ; - $nas_ip_address=get_current_wan_address(); - - if(!isset($clientip)) { - //if there's no client ip, we'll need to use the NAS ip - $clientip=get_current_wan_address(); - } - $ip_exp=explode(".",$clientip); - if ($debug) echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n"; @@ -193,13 +166,11 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius 6+ // input bytes 6+ // input packets 6+ // output bytes - 6+ // output packets - 2+strlen($nas_ip_address)+ //Called-Station-ID - 2+strlen($clientip); //Calling-Station-ID + 6; // output packets // v v v v v v v v v 1 1 1 1 1 1 1 v // Line # 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 E - $data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCNCCNCCNCCNCCNCCNCCa*CCa*", + $data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCNCCNCCNCCNCCNCCN", 4,$thisidentifier,$length/256,$length%256, // header 0,0,0,0, // authcode 6,6,0,0,0,1, // service type @@ -215,9 +186,7 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius 42,6,$input_bytes, // Input Octets 47,6,$input_pkts, // Input Packets 43,6,$output_bytes, // Output Octets - 48,6,$output_pkts, // Output Packets - 30,2+strlen($nas_ip_address),$nas_ip_address, //Called-Station-ID - 31,2+strlen($clientip),$clientip //Calling-Station-ID + 48,6,$output_pkts // Output Packets ); /* Generate Accounting Request Authenticator */ @@ -225,7 +194,7 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius // v v v v v v v v v 1 1 1 1 1 1 1 v // Line # 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 E - $data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCNCCNCCNCCNCCNCCNCCa*CCa*", + $data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCNCCNCCNCCNCCNCCN", 4,$thisidentifier,$length/256,$length%256, // header $RA, // authcode 6,6,0,0,0,1, // service type @@ -241,9 +210,7 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius 42,6,$input_bytes, // Input Octets 47,6,$input_pkts, // Input Packets 43,6,$output_bytes, // Output Octets - 48,6,$output_pkts, // Output Packets - 30,2+strlen($nas_ip_address),$nas_ip_address, //Called-Station-ID - 31,2+strlen($clientip),$clientip //Calling-Station-ID + 48,6,$output_pkts // Output Packets ); if($debug) { @@ -267,8 +234,6 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius else $retvalue = ord($readdata) ; - syslog(LOG_INFO,"Sent Accounting-Request Stop packet to RADIUS for $username"); - return $retvalue ; // 5 -> Accounting-Response // See RFC2866 for this. diff --git a/usr/local/captiveportal/radius_authentication.inc b/usr/local/captiveportal/radius_authentication.inc index 77d263a..c106da3 100644 --- a/usr/local/captiveportal/radius_authentication.inc +++ b/usr/local/captiveportal/radius_authentication.inc @@ -28,33 +28,9 @@ // was also fixed and patches submitted to Edwin. This bug would // have caused authentication to fail on every access. - // This version of radius_authentication.inc has been modified by - // Rob Parker <rob.parker@keycom.co.uk>. Changes made include: - // * move to fread() from fgets() to ensure binary safety - // * ability to read back specific attributes from a - // RADIUS Access-Accept packet - // * these attributes (in this version, Nomadix-Bw-Up and -Down, - // which are Nomadix vendor specific attributes to be passed back - // to index.php of m0n0wall to create dummynet rules for per-user - // radius-based bandwidth restriction. - // * IMPORTANT NOTE: this function no longer returns a simple integer - // of '2' for Access-Accept, and '3' for Access-Deny. It will return - // x/y/z, where x = 2 or 3 (Accept or Deny), y = up bandwidth, if - // enabled in web gui, and z = down bandwidth. These will be empty if - // per user bw is disabled in webgui. - // * these changes are (c) 2004 Keycom PLC. - function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiuskey) { - global $config; - - //radius database, hack this if we need to - - $radius_db[1]=="Nomadix-Bw-Up"; - $radius_db[2]=="Nomadix-Bw-Down"; - $radius_db[5]=="Nomadix-Expiration"; - $sharedsecret=$radiuskey ; - #$debug = 1 ; + # $debug = 1 ; exec("/bin/hostname", $nasHostname) ; if(!$nasHostname[0]) @@ -88,9 +64,6 @@ function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radius 6; // nasPortType $thisidentifier=rand()%256; - - - // v v v v v v v v v // Line # 1 2 3 4 5 6 7 8 E $data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCCCCCCCCCCC", @@ -117,113 +90,16 @@ function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radius if ($debug) echo "<br>writing $length bytes<hr>\n"; - - //RADIUS attributes returned in Access-Accept packet. - - #turn off magic quotes so we're binary-safe on fread. - set_magic_quotes_runtime(0); - $readdata = fread($fd,1024); - $pack_upack = unpack("Ctype/Cuid/nlength/A16resp/A*payload",$readdata); - if($pack_upack[type]==2) { - //only for 'Access-Accept' packets, otherwise throw back the number so error page is shown - $payload_upack = unpack("Cnum/Clen/C*value",$pack_upack[payload]); - $used_upack = $payload_upack; - - while(count($used_upack)>=1) { - //the payload contains two initial packets we need to record (number, and payload) - $attribute_number++; - $packet_type=array_shift($used_upack); //push the type off - $attributes[$attribute_number][]=$packet_type; - $packet_length=array_shift($used_upack); //push the length off - $attributes[$attribute_number][]=$packet_length; - //iterate until the end of this attribute - for($n=1;$n<=$packet_length-2;$n+=1) { - $attributes[$attribute_number][]=array_shift($used_upack); - } - } - - //at this stage, $attribute contains a list of ALL attributes that were sent (well, the first 1kbyte of them anyway, - //change fread above to alter the quantity of data read from the socket. - //we're only interested in two specific nomadix (3309) attributes (1 and 2, Bw-Up and Bw-Down) - - for($n=1;$n<=count($attributes);$n+=1) { - if($attributes[$n][0]=="26") { //VSA attribs - if((($attributes[$n][4]*256)+$attributes[$n][5])=="3309") { //just nomadix - switch($attributes[$n][6]) { //nomadix packet type - //we do this *256 because otherwise we'd need to unpack the packet - //again with a different packet format. which is a waste of time for now. - case "1": - $bw_up = 0; - $bw_up += $attributes[$n][10]*256; - $bw_up += $attributes[$n][11]; - if ($debug) {echo ">>VSA: Nomadix-Bw-Up=" . $bw_up . "kbit\n";} - break; - case "2": - $bw_down = 0; - $bw_down += $attributes[$n][10]*256; - $bw_down += $attributes[$n][11]; - if ($debug) {echo ">>VSA: Nomadix-Bw-Down=" . $bw_down . "kbit\n";} - break; - default: - if ($debug) {echo ">>VSA: Unknown Nomadix Packet (" . $attributes[$n][6] . ")!\n";} - } - } - } - } - //end RADIUS attribute return code. - - $status = socket_get_status($fd) ; - fclose($fd) ; - - if($status['timed_out']) - $retvalue = 1 ; - else - $retvalue = $pack_upack[type]; - - if($debug) { - switch($retvalue) { - case 1: - echo "Socket Failure!\n"; - break; - case 2: - echo "Access-Accept!\n"; - break; - case 3: - echo "Access-Reject!\n"; - break; - default: - echo "Unknown Reply!\n"; - } - } - - //what happens if there's no Nomadix attributes set, but the user has this turned on? - //we give them a default of 64kbit. this should be an option in the webgui too. - if(!isset($bw_up)) { - //go for default bw up - $bw_up==$config['captiveportal']['bwdefaultup']; - if(!isset($bw_up)) { - $bw_up=64; - } - } - if(!isset($bw_down)) { - //go for default bw down - $bw_down==$config['captiveportal']['bwdefaultdn']; - if(!isset($bw_down)) { - $bw_down=64; - } - } - - //whilst we're debugging, we're also going to syslog this - syslog(LOG_INFO,"Authenticated user $username. Setting bandwidth to $bwdown/$bwup KBit/s"); - - return $retvalue . "/" . $bw_up . "/" . $bw_down; - } else { - //we're returning 5kbit/s each way here, but really it doesn't matter - //if it's a 3, it's Access-Reject anyway, so the user will actually get - //nothing at all. :) - syslog(LOG_INFO,"Authentication failed for $username"); - return "3/5/5"; - } + $readdata = fgets($fd,2) ; /* read 1 byte */ + $status = socket_get_status($fd) ; + fclose($fd) ; + + if($status['timed_out']) + $retvalue = 1 ; + else + $retvalue = ord($readdata) ; + + return $retvalue ; // 2 -> Access-Accept // 3 -> Access-Reject // See RFC2865 for this. @@ -249,4 +125,4 @@ function Encrypt($password,$key,$RA) { } return $output; } -?>
\ No newline at end of file +?> |