- Added support for MSCHAPv2, MSCHAPv1 and CHAP_MD5 to captive portal

- Corrected bug in javascript funtion enable_change(enable_change)

2 files changed, 71 insertions, 4 deletions

diff --git a/usr/local/captiveportal/radius_authentication.inc b/usr/local/captiveportal/radius_authentication.inc
index 28802ee..da09fdc 100644
--- a/usr/local/captiveportal/radius_authentication.inc
+++ b/usr/local/captiveportal/radius_authentication.inc
@@ -46,6 +46,8 @@ RADIUS AUTHENTICATION
 ---------------------
 */
 
+require_once("CHAP.inc");
+
 function RADIUS_AUTHENTICATION($username,$password,$radiusservers,$clientip,$clientmac,$ruleno) {
 
     global $config, $cpzone;
@@ -55,6 +57,7 @@ function RADIUS_AUTHENTICATION($username,$password,$radiusservers,$clientip,$cli
     $clientmac = mac_format($clientmac);
     $nas_port = $ruleno;
     $radiusvendor = $config['captiveportal'][$cpzone]['radiusvendor'] ? $config['captiveportal'][$cpzone]['radiusvendor'] : null;
+    $radius_protocol = $config['captiveportal'][$cpzone]['radius_protocol'];
     // Do we even need to set it to NULL?
     $retvalue['error'] = $retvalue['reply_message'] = $retvalue['url_redirection'] = $retvalue['session_timeout'] = $retvalue['idle_timeout'] = $retvalue['session_terminate_time'] = null;
 
@@ -74,7 +77,8 @@ function RADIUS_AUTHENTICATION($username,$password,$radiusservers,$clientip,$cli
     }
 
     // Create our instance
-    $rauth = new Auth_RADIUS_PAP($username, $password);
+    $classname = 'Auth_RADIUS_' . $radius_protocol;
+    $rauth = new $classname($username, $password);
 
     /*
      * Add support for more then one radiusserver. 
@@ -89,7 +93,37 @@ function RADIUS_AUTHENTICATION($username,$password,$radiusservers,$clientip,$cli
 
     // Construct data package
     $rauth->username = $username;
-    $rauth->password = $password;
+    switch ($radius_protocol) {
+        case 'CHAP_MD5':
+        case 'MSCHAPv1':
+            $classname = $radius_protocol == 'MSCHAPv1' ? 'Crypt_CHAP_MSv1' : 'Crypt_CHAP_MD5';
+            $crpt = new $classname;
+            $crpt->username = $username;
+            $crpt->password = $password;
+            $rauth->challenge = $crpt->challenge;
+            $rauth->chapid = $crpt->chapid;
+            $rauth->response = $crpt->challengeResponse();
+            $rauth->flags = 1;
+            // If you must use deprecated and weak LAN-Manager-Responses use this:
+            //$rauth->lmResponse = $crpt->lmChallengeResponse();
+            //$rauth->flags = 0;
+            break;
+
+        case 'MSCHAPv2':
+            // Construct data package
+            $crpt = new Crypt_CHAP_MSv2;
+            $crpt->username = $username;
+            $crpt->password = $password;
+            $rauth->challenge = $crpt->authChallenge;
+            $rauth->peerChallenge = $crpt->peerChallenge;
+            $rauth->chapid = $crpt->chapid;
+            $rauth->response = $crpt->challengeResponse();
+            break;
+
+        default:
+            $rauth->password = $password;
+            break;
+    }
 
     if (PEAR::isError($rauth->start())) {
         $retvalue['auth_val'] = 1;
diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php
index 09aacb4..b1e9a6a 100755
--- a/usr/local/www/services_captiveportal.php
+++ b/usr/local/www/services_captiveportal.php
@@ -106,6 +106,7 @@ if (isset($cpzone) && $a_cp[$cpzone]) {
 	$pconfig['bwdefaultup'] = $a_cp[$cpzone]['bwdefaultup'];
 	$pconfig['nomacfilter'] = isset($a_cp[$cpzone]['nomacfilter']);
 	$pconfig['noconcurrentlogins'] = isset($a_cp[$cpzone]['noconcurrentlogins']);
+        $pconfig['radius_protocol'] = $a_cp[$cpzone]['radius_protocol'];
 	$pconfig['redirurl'] = $a_cp[$cpzone]['redirurl'];
 	$pconfig['radiusip'] = $a_cp[$cpzone]['radiusip'];
 	$pconfig['radiusip2'] = $a_cp[$cpzone]['radiusip2'];
@@ -268,6 +269,7 @@ if ($_POST) {
 		$newcp['logoutwin_enable'] = $_POST['logoutwin_enable'] ? true : false;
 		$newcp['nomacfilter'] = $_POST['nomacfilter'] ? true : false;
 		$newcp['noconcurrentlogins'] = $_POST['noconcurrentlogins'] ? true : false;
+                $newcp['radius_protocol'] = $_POST['radius_protocol'];
 		$newcp['redirurl'] = $_POST['redirurl'];
 		if (isset($_POST['radiusip']))
 			$newcp['radiusip'] = $_POST['radiusip'];
@@ -381,7 +383,10 @@ function enable_change(enable_change) {
 	document.iform.auth_method[0].disabled = endis;
 	document.iform.auth_method[1].disabled = endis;
 	document.iform.auth_method[2].disabled = endis;
-	document.iform.auth_method[3].disabled = endis;
+	document.iform.radius_protocol[0].disabled = radius_endis;
+	document.iform.radius_protocol[1].disabled = radius_endis;
+	document.iform.radius_protocol[2].disabled = radius_endis;
+	document.iform.radius_protocol[3].disabled = radius_endis;
 	document.iform.radmac_enable.disabled = radius_endis;
 	document.iform.httpslogin_enable.disabled = endis;
 	document.iform.radmac_format.disabled = radius_endis;
@@ -593,7 +598,35 @@ function enable_change(enable_change) {
 		  <td>&nbsp;</td>
 		  <td>&nbsp;</td>
 		  </tr>
-		</table>
+                  <tr>
+                  <td width="22%" valign="top" class="vncell"><?=gettext("Radius Protocol"); ?></td>
+                  <td width="78%" class="vtable">
+                    <table cellpadding="0" cellspacing="0">
+                    <tr>
+                      <td colspan="2"><input name="radius_protocol" type="radio" id="radius_protocol" value="PAP" onClick="enable_change(false)" <?php if($pconfig['auth_method']=="radius" && $pconfig['radius_protocol']!="CHAP_MD5" && $pconfig['radius_protocol']!="MSCHAPv1" && $pconfig['radius_protocol']!="MSCHAPv2") echo "checked"; ?>>
+      <?=gettext("PAP"); ?></td>
+                      </tr>
+                    <tr>
+                      <td colspan="2"><input name="radius_protocol" type="radio" id="radius_protocol" value="CHAP_MD5" onClick="enable_change(false)" <?php if($pconfig['auth_method']=="radius" && $pconfig['radius_protocol']=="CHAP_MD5") echo "checked"; ?>>
+      <?=gettext("CHAP_MD5"); ?></td>
+                      </tr>
+                    <tr>
+                      <td colspan="2"><input name="radius_protocol" type="radio" id="radius_protocol" value="MSCHAPv1" onClick="enable_change(false)" <?php if($pconfig['auth_method']=="radius" && $pconfig['radius_protocol']=="MSCHAPv1") echo "checked"; ?>>
+      <?=gettext("MSCHAPv1"); ?></td>
+                      </tr>
+                    <tr>
+                      <td colspan="2"><input name="radius_protocol" type="radio" id="radius_protocol" value="MSCHAPv2" onClick="enable_change(false)" <?php if($pconfig['auth_method']=="radius" && $pconfig['radius_protocol']=="MSCHAPv2") echo "checked"; ?>>
+      <?=gettext("MSCHAPv2"); ?></td>
+                      </tr><tr>
+                      <td>&nbsp;</td>
+                      <td>&nbsp;</td>
+                      </tr>
+                    </table>
+                  </tr><tr>
+                  <td>&nbsp;</td>
+                  <td>&nbsp;</td>
+                  </tr>
+                </table>
 		<table width="100%" border="0" cellpadding="6" cellspacing="0">
         	<tr>
             	<td colspan="2" valign="top" class="optsect_t2"><?=gettext("Primary RADIUS server"); ?></td>