Unbreak radius auth

5 files changed, 509 insertions, 439 deletions

diff --git a/usr/local/captiveportal/radius_accounting.inc b/usr/local/captiveportal/radius_accounting.inc
index 9744809..15325ae 100644
--- a/usr/local/captiveportal/radius_accounting.inc
+++ b/usr/local/captiveportal/radius_accounting.inc
@@ -1,293 +1,316 @@
 <?php
+/* vim: set expandtab tabstop=4 shiftwidth=4: */
 /*
-	radius_accounting.inc
-	part of m0n0wall (http://m0n0.ch/wall)
-	
-	Copyright (C) 2004 Dinesh Nair <dinesh@alphaque.com>
-	All rights reserved.
-	
-	Redistribution and use in source and binary forms, with or without
-	modification, are permitted provided that the following conditions are met:
-	
-	1. Redistributions of source code must retain the above copyright notice,
-	   this list of conditions and the following disclaimer.
-	
-	2. Redistributions in binary form must reproduce the above copyright
-	   notice, this list of conditions and the following disclaimer in the
-	   documentation and/or other materials provided with the distribution.
-	
-	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-	POSSIBILITY OF SUCH DAMAGE.
-
-	// This version of radius_accounting.inc has been modified by
-	// Rob Parker <rob.parker@keycom.co.uk>. Changes made include:
-	// * now sends Framed-IP-Address (client IP)
-	// * now sends Called-Station-ID (NAS IP)
-	// * now sends Calling-Station-ID (client IP)
+
+    $Id$
+
+    Copyright (c) 2006, Jonathan De Graeve <jonathan.de.graeve@imelda.be>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions
+    are met:
+
+    1. Redistributions of source code must retain the above copyright
+       notice, this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    3. The names of the authors may not be used to endorse or promote products
+       derived from this software without specific prior written permission.
+
+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+    ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+    WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+    IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+    INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+    BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+    OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+    EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+    This code cannot simply be copied and put under the GNU Public License or
+    any other GPL-like (LGPL, GPL2) License.
+
+        This code is made possible thx to samples made by Michael Bretterklieber <michael@bretterklieber.com>
+        author of the PHP PECL Radius package
+
 */
 
-function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$radiuskey,$clientip) {
-	global $debug, $nasHostname, $errstr;
-	$sharedsecret=$radiuskey ;
-	# $debug = 1 ;
-
-	exec("/bin/hostname", $nasHostname) ;
-	if(!$nasHostname[0])
-		$nasHostname[0] = "m0n0wall" ;
-
-	$errno = "";	
-	$fd = @fsockopen("udp://$radiusip",$radiusport,$errno,$errstr,3) ;
-	if(!$fd) 
-		return 1 ; /* error return */
-	
-	/* set 5 second timeout on socket i/o */
-	stream_set_timeout($fd, 5) ;
-
-	$nas_ip_address = get_nas_ip();
-
-	if(!isset($clientip)) {
-		//if there's no client ip, we'll need to use the NAS ip
-		$clientip=$nas_ip_address;
-	}
-	$ip_exp=explode(".",$clientip);
-
-	if ($debug)
-	    echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n";
-
-	$thisidentifier=rand()%256;
-
-	$length=4+				// header
-		16+				// auth code
-		6+				// service type
-		2+strlen($username)+		// username
-		2+strlen($nasHostname[0])+			// nasIdentifier
-		6+				// nasPort
-		6+				// nasPortType
-		6+				// Acct Status Type
-		6+				// Acct RADIUS Authenticated
-		2+strlen($sessionid)+	// Acct SessionID
-		6;				// Framed-IP-Address
-
-	//          v   v   v     v   v   v     v     v     v     1   v
-	// Line #   1   2   3     4   5   6     7     8     9     0   E
-	$data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCCCCC",
-	    4,$thisidentifier,$length/256,$length%256,		// header
-	    0,0,0,0,						// authcode
-	    6,6,0,0,0,1,					// service type
-	    1,2+strlen($username),$username,			// username
-	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
-	    5,6,0,0,0,0,						// nasPort
-	    61,6,0,0,0,15,						// nasPortType = Ethernet
-		40,6,0,0,0,1,						// Acct Status Type = Start
-		45,6,0,0,0,1,						// Acct RADIUS Authenticated
-		44,2+strlen($sessionid),$sessionid,	// Acct Session ID
-		8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3]	//Framed-IP-Address
-	    );
-
-	/* Generate Accounting Request Authenticator */
-	$RA = md5($data.$radiuskey) ;
-
-	//          v   v v     v   v   v     v     v     v     1   v
-	// Line #   1   2 3     4   5   6     7     8     9     0   E
-	$data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCCCCC",
-	    4,$thisidentifier,$length/256,$length%256,		// header
-	    $RA,						// authcode
-	    6,6,0,0,0,1,					// service type
-	    1,2+strlen($username),$username,			// username
-	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
-	    5,6,0,0,0,0,						// nasPort
-	    61,6,0,0,0,15,						// nasPortType = Ethernet
-		40,6,0,0,0,1,						// Acct Status Type = Start
-		45,6,0,0,0,1,						// Acct RADIUS Authenticated
-		44,2+strlen($sessionid),$sessionid,	// Acct Session ID
-		8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3]	//Framed-IP-Address
-	    );
-
-	if($debug) {
-		echo "username is $username with len " . strlen($username) ."\n" ;
-		echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ;
-	}	
-
-	$ret = fwrite($fd,$data) ;
-	if( !$ret || ($ret != $length) ) 
-		return 1; /* error return */
-
-	if ($debug)
-	    echo "<br>writing $length bytes<hr>\n";
-
-	$readdata = fgets($fd,2) ; /* read 1 byte */
-	$status = socket_get_status($fd) ;
-	fclose($fd) ;
-
-	if($status['timed_out'])
-		$retvalue = 1 ;
-	else
-		$retvalue = ord($readdata) ;
-
-	return $retvalue ;
-	// 5 -> Accounting-Response
-	// See RFC2866 for this.
+/*
+RADIUS ACCOUNTING START
+-----------------------
+*/
+
+function RADIUS_ACCOUNTING_START($ruleno,$username,$sessionid,$radiusip,$radiusport,$radiuskey,$clientip,$clientmac) {
+
+    global $config;
+
+    $retvalue = array();
+    $nas_mac = mac_format(get_interface_mac($config['interfaces']['wan']['if']));
+    $clientmac = mac_format($clientmac);
+    $nas_port = $ruleno - 10000;
+    $radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
+
+    switch($radiusvendor) {
+
+        case 'cisco':
+        $calledstationid = $clientmac;
+        $callingstationid = $clientip;
+        break;
+
+        default:
+        $calledstationid = $nas_mac;
+        $callingstationid = $clientmac;
+    }
+
+    // Create our instance
+    $racct = new Auth_RADIUS_Acct_Start;
+
+    /* Different Authentication options
+     *
+     * Its possible todo other authentication methods but still do radius accounting
+     *
+     * RADIUS_AUTH_RADIUS => authenticated via Radius
+     * RADIUS_AUTH_LOCAL  => authenticated local
+     * RADIUS_AUTH_REMOTE => authenticated remote
+     *
+     */
+    $racct->authentic = RADIUS_AUTH_RADIUS;
+
+    // Construct data package
+    $racct->username = $username;
+    $racct->addServer($radiusip, $radiusport, $radiuskey);
+
+    if (PEAR::isError($racct->start())) {
+        $retvalue['acct_val'] = 1;
+        $retvalue['error'] = $racct->getMessage();
+        if ($debug)
+            printf("Radius start: %s<br>\n", $retvalue['error']);
+        // If we encounter an error immediately stop this function and go back
+        $racct->close();
+        return $retvalue;
+
+        /* Old code:
+         * $status = $racct->start();
+         * if(PEAR::isError($status)) {
+         *    if ($debug)
+         *        printf("Radius start: %s<br>\n", $status->getMessage());
+         *        exit;
+         * }
+         */
+    }
+
+    /*
+     * NAS_PORT_TYPE, int => RADIUS_ETHERNET (15), RADIUS_WIRELESS_OTHER (18), RADIUS_WIRELESS_IEEE_802_11 (19)
+     */
+
+    // Default attributes
+    $racct->putAttribute(RADIUS_SERVICE_TYPE, RADIUS_LOGIN);
+    $racct->putAttribute(RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET);
+    $racct->putAttribute(RADIUS_NAS_PORT, $nas_port);
+    $racct->putAttribute(RADIUS_ACCT_SESSION_ID, $sessionid);
+
+    // Extra data to identify the client and nas
+    $racct->putAttribute(RADIUS_FRAMED_IP_ADDRESS, $clientip, "addr");
+    $racct->putAttribute(RADIUS_CALLED_STATION_ID, $calledstationid);
+    $racct->putAttribute(RADIUS_CALLING_STATION_ID, $callingstationid);
+
+    // Send request
+    $result = $racct->send();
+
+    // Evaluation of the response
+    // 5 -> Accounting-Response
+    // See RFC2866 for this.
+    if (PEAR::isError($result)) {
+        $retvalue['acct_val'] = 1;
+        $retvalue['error'] = $result->getMessage();
+        if ($debug)
+            printf("Radius send failed: %s<br>\n", $retvalue['error']);
+    } else if ($result === true) {
+        $retvalue['acct_val'] = 5 ;
+        if ($debug)
+            printf("Radius Accounting succeeded<br>\n");
+    } else {
+        $retvalue['acct_val'] = 1 ;
+        if ($debug)
+            printf("Radius Accounting rejected<br>\n");
+    }
+
+    // close OO RADIUS_ACCOUNTING
+    $racct->close();
+
+    return $retvalue ;
+
 }
 
-function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey,$clientip,$interimupdate=false) {
-	$sharedsecret=$radiuskey ;
-	global $debug, $errno, $ipfw, $errstr,$nasHostname;
-	$matches = "";
-	# $debug = 1 ;
-	exec("/bin/hostname", $nasHostname) ;
-	if(!$nasHostname[0])
-		$nasHostname[0] = "quewall" ;
-
-	$input_pkts = $input_bytes = $output_pkts = $output_bytes = 0 ;
-
-	exec("/sbin/ipfw show {$ruleno}", $ipfw) ;	
-	preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[0], $matches) ;
-	$input_pkts = $matches[2] ;
-	$input_bytes = $matches[3] ;
-
-	unset($matches) ;
-	preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[1], $matches) ;
-	$output_pkts = $matches[2] ;
-	$output_bytes = $matches[3] ;
-
-	$fd = @fsockopen("udp://$radiusip",$radiusport,$errno,$errstr,3) ;
-	if(!$fd) 
-		return 1 ; /* error return */
-	
-	/* set 5 second timeout on socket i/o */
-	stream_set_timeout($fd, 5) ;
-
-	$nas_ip_address = get_nas_ip();
-
-	if(!isset($clientip)) {
-		//if there's no client ip, we'll need to use the NAS ip
-		$clientip=$nas_ip_address;
-	}
-	$ip_exp=explode(".",$clientip);
-
-	if ($debug)
-	    echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n";
-
-	$thisidentifier=rand()%256;
-
-	$length=4+				// header
-		16+				// auth code
-		6+				// service type
-		2+strlen($username)+		// username
-		2+strlen($nasHostname[0])+			// nasIdentifier
-		6+				// nasPort
-		6+				// nasPortType
-		6+				// Acct Status Type
-		6+				// Acct RADIUS Authenticated
-		2+strlen($sessionid)+	// Acct SessionID
-		6+				// Acct terminate
-		6+				// Session time
-		6+				// input bytes
-		6+				// input packets
-		6+				// output bytes
-		6+				// output packets
-		2+strlen($nas_ip_address)+		//Called-Station-ID
-		2+strlen($clientip)+	//Calling-Station-ID
-
-		6;			//Framed-IP-Address
-
-	if ($interimupdate)
-		$acctstatustype = 3;
-	else
-		$acctstatustype = 2;
-
-	//          v   v   v     v   v   v     v     v     v     1   1  1  1  1  1  1  v
-	// Line #   1   2   3     4   5   6     7     8     9     0   1  2  3  4  5  6  E
-	$data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCNCCNCCNCCNCCNCCNCCa*CCa*CCCCCC",
-	    4,$thisidentifier,$length/256,$length%256,		// header
-	    0,0,0,0,						// authcode
-	    6,6,0,0,0,1,					// service type
-	    1,2+strlen($username),$username,			// username
-	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
-	    5,6,0,0,0,0,						// nasPort
-	    61,6,0,0,0,15,						// nasPortType = Ethernet
-		40,6,0,0,0,$acctstatustype,			// Acct Status Type
-		45,6,0,0,0,1,						// Acct RADIUS Authenticated
-		44,2+strlen($sessionid),$sessionid,	// Acct Session ID
-		49,6,1,		// Acct Terminate = User Request
-		46,6,time() - $start_time,			// Session Time
-		42,6,$input_bytes,	// Input Octets
-		47,6,$input_pkts,	// Input Packets
-		43,6,$output_bytes, // Output Octets
-		48,6,$output_pkts,	// Output Packets
-		30,2+strlen($nas_ip_address),$nas_ip_address,	//Called-Station-ID
-		31,2+strlen($clientip),$clientip,				//Calling-Station-ID
-
-		8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3]	//Framed-IP-Address
-	    );
-
-	/* Generate Accounting Request Authenticator */
-	$RA = md5($data.$radiuskey) ;
-
-	//          v   v v     v   v   v     v     v     v     1   1  1  1  1  1  1  v
-	// Line #   1   2 3     4   5   6     7     8     9     0   1  2  3  4  5  6  E
-	$data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCNCCNCCNCCNCCNCCNCCa*CCa*CCCCCC",
-	    4,$thisidentifier,$length/256,$length%256,		// header
-	    $RA,						// authcode
-	    6,6,0,0,0,1,					// service type
-	    1,2+strlen($username),$username,			// username
-	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
-	    5,6,0,0,0,0,						// nasPort
-	    61,6,0,0,0,15,						// nasPortType = Ethernet
-		40,6,0,0,0,$acctstatustype,			// Acct Status Type
-		45,6,0,0,0,1,						// Acct RADIUS Authenticated
-		44,2+strlen($sessionid),$sessionid,	// Acct Session ID
-		49,6,1,		// Acct Terminate = User Request
-		46,6,time() - $start_time,			// Session Time
-		42,6,$input_bytes,	// Input Octets
-		47,6,$input_pkts,	// Input Packets
-		43,6,$output_bytes, // Output Octets
-		48,6,$output_pkts,	// Output Packets
-		30,2+strlen($nas_ip_address),$nas_ip_address,	//Called-Station-ID
-		31,2+strlen($clientip),$clientip,				//Calling-Station-ID
-
-		8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3]	//Framed-IP-Address
-	    );
-
-	if($debug) {
-		echo "username is $username with len " . strlen($username) ."\n" ;
-		echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ;
-	}	
-
-	$ret = fwrite($fd,$data) ;
-	if( !$ret || ($ret != $length) ) 
-		return 1; /* error return */
-
-	if ($debug)
-	    echo "<br>writing $length bytes<hr>\n";
-
-	$readdata = fgets($fd,2) ; /* read 1 byte */
-	$status = socket_get_status($fd) ;
-	fclose($fd) ;
-
-	if($status['timed_out'])
-		$retvalue = 1 ;
-	else
-		$retvalue = ord($readdata) ;
-
-	return $retvalue ;
-	// 5 -> Accounting-Response
-	// See RFC2866 for this.
+/*
+RADIUS ACCOUNTING STOP/UPDATE
+-----------------------------
+*/
+
+function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey,$clientip,$clientmac, $term_cause = 1, $interimupdate=false,$stop_time = null) {
+
+    global $config;
+
+    $retvalue = array();
+    $nas_mac = mac_format(get_interface_mac($config['interfaces']['wan']['if']));
+    $clientmac = mac_format($clientmac);
+    $nas_port = $ruleno - 10000;
+    $radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
+    $stop_time = (empty($stop_time)) ? time() : $stop_time;
+    $session_time = $stop_time - $start_time;
+    $volume = getVolume($ruleno);
+    $volume['input_bytes_radius'] = remainder($volume['input_bytes']);
+    $volume['input_gigawords'] = gigawords($volume['input_bytes']);
+    $volume['output_bytes_radius'] = remainder($volume['output_bytes']);
+    $volume['output_gigawords'] = gigawords($volume['output_bytes']);
+
+    switch($radiusvendor) {
+
+        case 'cisco':
+        $calledstationid = $clientmac;
+        $callingstationid = $clientip;
+        break;
+
+        default:
+        $calledstationid = $nas_mac;
+        $callingstationid = $clientmac;
+    }
+
+    // Create our instance, see if we should use Accounting Interim Updates or Accounting STOP messages
+    if ($interimupdate)
+        $racct = new Auth_RADIUS_Acct_Update;
+    else
+        $racct = new Auth_RADIUS_Acct_Stop;
+
+    /*
+     * Currently disabled
+    Add support for more then one radiusserver.
+    At most 10 servers may be specified.
+    When multiple servers are given, they are tried in round-robin fashion until a valid response is received
+
+    foreach ($radiusservers as $radsrv) {
+
+        // Add a new server to our instance
+        $racct->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['key']);
+
+    }
+    */
+
+    // See RADIUS_ACCOUNTING_START for info
+    $racct->authentic = RADIUS_AUTH_RADIUS;
+
+    // Construct data package
+    $racct->username = $username;
+    $racct->addServer($radiusip, $radiusport, $radiuskey);
+    // Set session_time
+    $racct->session_time = $session_time;
+
+    if (PEAR::isError($racct->start())) {
+        $retvalue['acct_val'] = 1;
+        $retvalue['error'] = $racct->getMessage();
+        if ($debug)
+            printf("Radius start: %s<br>\n", $retvalue['error']);
+        // If we encounter an error immediately stop this function and go back
+        $racct->close();
+        return $retvalue;
+    }
+
+    // The RADIUS PECL Package doesn't have this vars so we create them ourself
+    define("RADIUS_ACCT_INPUT_GIGAWORDS", "52");
+    define("RADIUS_ACCT_OUTPUT_GIGAWORDS", "53");
+
+    // Default attributes
+    $racct->putAttribute(RADIUS_SERVICE_TYPE, RADIUS_LOGIN);
+    $racct->putAttribute(RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET);
+    $racct->putAttribute(RADIUS_NAS_PORT, $nas_port);
+    $racct->putAttribute(RADIUS_ACCT_SESSION_ID, $sessionid);
+
+    // Extra data to identify the client and nas
+    $racct->putAttribute(RADIUS_FRAMED_IP_ADDRESS, $clientip, "addr");
+    $racct->putAttribute(RADIUS_CALLED_STATION_ID, $calledstationid);
+    $racct->putAttribute(RADIUS_CALLING_STATION_ID, $callingstationid);
+
+    // Volume stuff: Ingress
+    $racct->putAttribute(RADIUS_ACCT_INPUT_PACKETS, $volume['input_pkts'], "integer");
+    $racct->putAttribute(RADIUS_ACCT_INPUT_OCTETS, $volume['input_bytes_radius'], "integer");
+    $racct->putAttribute(RADIUS_ACCT_INPUT_GIGAWORDS, $volume['input_gigawords'], "integer");
+    // Volume stuff: Outgress
+    $racct->putAttribute(RADIUS_ACCT_OUTPUT_PACKETS, $volume['output_pkts'], "integer");
+    $racct->putAttribute(RADIUS_ACCT_OUTPUT_OCTETS, $volume['output_bytes_radius'], "integer");
+    $racct->putAttribute(RADIUS_ACCT_OUTPUT_GIGAWORDS, $volume['output_gigawords'], "integer");
+
+    if (!$interimupdate)
+        $racct->putAttribute(RADIUS_ACCT_TERMINATE_CAUSE, $term_cause);
+
+    // Send request
+    $result = $racct->send();
+
+    // Evaluation of the response
+    // 5 -> Accounting-Response
+    // See RFC2866 for this.
+    if (PEAR::isError($result)) {
+        $retvalue['acct_val'] = 1;
+        $retvalue['error'] = $result->getMessage();
+        if ($debug)
+            printf("Radius send failed: %s<br>\n", $retvalue['error']);
+    } else if ($result === true) {
+        $retvalue['acct_val'] = 5 ;
+        if ($debug)
+            printf("Radius Accounting succeeded<br>\n");
+    } else {
+        $retvalue['acct_val'] = 1 ;
+        if ($debug)
+            printf("Radius Accounting rejected<br>\n");
+    }
+
+    // close OO RADIUS_ACCOUNTING
+    $racct->close();
+
+    return $retvalue;
+
 }
 
-function get_nas_ip() {
-	global $config;
-	
-	/* static WAN IP address */
-	return $config['interfaces']['wan']['ipaddr'];
+
+/**
+ * Radius Volume Helpers
+ *
+ */
+
+function gigawords($bytes) {
+
+
+    /*
+     * RFC2866 Specifies a 32bit unsigned integer, which is a max of 4294967295
+     * Currently there is a fault in the PECL radius_put_int function which can handle only 32bit signed integer.
+     */
+
+    // We use BCMath functions since normal integers don't work with so large numbers
+    $gigawords = bcdiv( bcsub( $bytes, remainder($bytes) ) , 4294967295) ;
+
+    // We need to manually set this to a zero instead of NULL for put_int() safety
+    if (is_null($gigawords)) {
+        $gigawords = 0;
+    }
+
+    return $gigawords;
+
+}
+
+function remainder($bytes) {
+
+    // Calculate the bytes we are going to send to the radius
+    $bytes = bcmod($bytes, 4294967295);
+
+    if (is_null($bytes)) {
+        $bytes = 0;
+    }
+
+
+    return $bytes;
+
 }
 
-?>
+?>
\ No newline at end of file
diff --git a/usr/local/captiveportal/radius_authentication.inc b/usr/local/captiveportal/radius_authentication.inc
index 7417029..f826c20 100644
--- a/usr/local/captiveportal/radius_authentication.inc
+++ b/usr/local/captiveportal/radius_authentication.inc
@@ -1,152 +1,160 @@
 <?php
-    //
-    // $Id$
-    //
-    // radius authentication v1.0 by Edwin Groothuis (edwin@mavetju.org)
-    //
-    // If you didn't get this file via http://www.mavetju.org, please
-    // check for the availability of newer versions.
-    //
-    // See LICENSE for distribution issues. If this file isn't in
-    // the distribution, please inform me about it.
-    //
-    // If you want to use this script, fill in the configuration in
-    // radius_authentication.conf and call the function
-    // RADIUS_AUTHENTICATION() with the username and password
-    // provided by the user. If it returns a 2, the authentication
-    // was successfull!
-
-    // If you want to use this, make sure that you have raw sockets
-    // enabled during compile-time: "./configure --enable-sockets".
-
-	// This version has been modified by Dinesh Nair <dinesh@alphaque.com>
-	// for use in the m0n0wall distribution http://m0n0.ch/wall/
-	//
-	// Changes include moving from raw sockets to fsockopen
-	// and the removal of dependency on external conf file
-	// An existing bug which resulted in a malformed RADIUS packet
-	// was also fixed and patches submitted to Edwin. This bug would
-	// have caused authentication to fail on every access.
-
-function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiuskey) {
-	$sharedsecret=$radiuskey ;
-	global $debug, $errno, $nasHostname, $errstr;
-	# $debug = 1 ;
-
-	exec("/bin/hostname", $nasHostname) ;
-	if(!$nasHostname[0])
-		$nasHostname[0] = "m0n0wall" ;
-
-	$fd = @fsockopen("udp://$radiusip",$radiusport,$errno,$errstr,3) ;
-	if(!$fd) 
-		return 1 ; /* error return */
-	
-	/* set 5 second timeout on socket i/o */
-	stream_set_timeout($fd, 5) ;
-
-	if ($debug)
-	    echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n";
-
-	$RA=pack("CCCCCCCCCCCCCCCC",				// auth code
-	    1+rand()%255, 1+rand()%255, 1+rand()%255, 1+rand()%255,
-	    1+rand()%255, 1+rand()%255, 1+rand()%255, 1+rand()%255,
-	    1+rand()%255, 1+rand()%255, 1+rand()%255, 1+rand()%255,
-	    1+rand()%255, 1+rand()%255, 1+rand()%255, 1+rand()%255);
-
-	$encryptedpassword=Encrypt($password,$sharedsecret,$RA);
-
-	$length=4+				// header
-		16+				// auth code
-		6+				// service type
-		2+strlen($username)+		// username
-		2+strlen($encryptedpassword)+	// userpassword
-		2+strlen($nasHostname[0])+			// nasIdentifier
-		6+				// nasPort
-		6;				// nasPortType
-
-	$thisidentifier=rand()%256;
-	//          v   v v     v   v   v   v     v     v
-	// Line #   1   2 3     4   5   6   7     8     E
-	$data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCCCCCCCCCCC",
-	    1,$thisidentifier,$length/256,$length%256,		// header
-	    $RA,						// authcode
-	    6,6,0,0,0,1,					// service type
-	    1,2+strlen($username),$username,			// username
-	    2,2+strlen($encryptedpassword),$encryptedpassword,	// userpassword
-	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
-	    5,6,0,0,0,0,						// nasPort
-	    61,6,0,0,0,15						// nasPortType = Ethernet
-	    );
-
-	if($debug) {
-		echo "username is $username with len " . strlen($username) ."\n" ;
-		echo "encryptedpassword is $encryptedpassword with len " . strlen($encryptedpassword) ."\n" ;
-		echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ;
-	}	
-
-	$ret = fwrite($fd,$data) ;
-	if( !$ret || ($ret != $length) ) 
-		return 1; /* error return */
-
-	if ($debug)
-	    echo "<br>writing $length bytes<hr>\n";
-
-	$readdata = fgets($fd,2) ; /* read 1 byte */
-	$status = socket_get_status($fd) ;
-	fclose($fd) ;
-
-	if($status['timed_out'])
-		$retvalue = 1 ;
-	else
-		$retvalue = ord($readdata) ;
-
-	return $retvalue ;
-	// 2 -> Access-Accept
-	// 3 -> Access-Reject
-	// See RFC2865 for this.
-}
+/* vim: set expandtab tabstop=4 shiftwidth=4: */
 /*
-* $password = users password
-* $key = shared secret
-* $RA = Request Authenticator (random value it seems like)
+    $Id$
+
+    Copyright (c) 2006, Jonathan De Graeve <jonathan.de.graeve@imelda.be>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions
+    are met:
+
+    1. Redistributions of source code must retain the above copyright
+       notice, this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    3. The names of the authors may not be used to endorse or promote products
+       derived from this software without specific prior written permission.
+
+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+    ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+    WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+    IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+    INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+    BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+    OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+    EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+    This code cannot simply be copied and put under the GNU Public License or
+    any other GPL-like (LGPL, GPL2) License.
+
+        This code is made possible thx to samples made by Michael Bretterklieber <michael@bretterklieber.com>
+        author of the PHP PECL Radius package
+
 */
-function Encrypt($password,$key,$RA) {
-	global $debug;
-
-	if ($debug)
-		echo "<br>key: $key<br>password: $password<hr>\n";
-
-	$output="";
-	$passlen = strlen($password);
-	/* figure out the number of xor rounds we need to run through */
-	for ($i=16; $i <= 128; $i += 16) {
-		if ($len <= $i) {
-			$rounds = $i/16;
-			break;
-		}
-	}
-
-	$z = 0; // How many chars have we xor'd
-	for ($x=0; $x<=$rounds; $x++) {
-		$keyRA=$key.$RA;
-		$md5checksum=md5($keyRA);
-
-		// Loop 16 times (md5() output / 2)
-		for ($i=0;$i<=15;$i++) {
-			// Convert md5 hex output to decimal (md5 lengths are 32 chars)
-			if (2*$i>32) $m=0; else $m=hexdec(substr($md5checksum,2*$i,2));
-			// get the decimal character value for this character in the password
-			if ($z>$passlen-1) $p=0; else $p=ord(substr($password,$z,1));
-			// xor the md5 character with the password character
-			$c=$m^$p;
-			// Convert back to 8-bit output
-			$output.=chr($c);
-			$z++;
-		}
-		$RA=$output;
-	}
-
-	return $output;
+
+/*
+RADIUS AUTHENTICATION
+---------------------
+*/
+
+function RADIUS_AUTHENTICATION($username,$password,$radiusservers,$clientip,$clientmac,$ruleno) {
+
+    global $config;
+
+    $retvalue = array();
+    $nas_mac = mac_format(get_interface_mac($config['interfaces']['wan']['if']));
+    $clientmac = mac_format($clientmac);
+    $nas_port = $ruleno - 10000;
+    $radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
+    // Do we even need to set it to NULL?
+    $retvalue['error'] = $retvalue['reply_message'] = $retvalue['url_redirection'] = $retvalue['session_timeout'] = $retvalue['idle_timeout'] = $retvalue['session_terminate_time'] = null;
+
+    switch($radiusvendor) {
+
+        case 'cisco':
+        $calledstationid = $clientmac;
+        $callingstationid = $clientip;
+        break;
+
+        default:
+        $calledstationid = $nas_mac;
+        $callingstationid = $clientmac;
+    }
+
+    // Create our instance
+    $rauth = new Auth_RADIUS_PAP($username, $password);
+
+    /*
+    Add support for more then one radiusserver.
+    At most 10 servers may be specified.
+    When multiple servers are given, they are tried in round-robin fashion until a valid response is received
+    */
+
+    foreach ($radiusservers as $radsrv) {
+
+        // Add a new server to our instance
+        $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['key']);
+
+    }
+
+    // Construct data package
+    $rauth->username = $username;
+    $rauth->password = $password;
+
+    if (PEAR::isError($rauth->start())) {
+        $retvalue['auth_val'] = 1;
+        $retvalue['error'] = $rauth->getError();
+        if ($debug)
+            printf("Radius start: %s<br>\n", $retvalue['error']);
+        // If we encounter an error immediately stop this function and go back
+        $rauth->close();
+        return $retvalue;
+    }
+
+    // Default attributes
+    $rauth->putAttribute(RADIUS_SERVICE_TYPE, RADIUS_LOGIN);
+    $rauth->putAttribute(RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET);
+    $rauth->putAttribute(RADIUS_NAS_PORT, $nas_port);
+
+    // Extra data to identify the client and nas
+    $rauth->putAttribute(RADIUS_FRAMED_IP_ADDRESS, $clientip, addr);
+    $rauth->putAttribute(RADIUS_CALLED_STATION_ID, $calledstationid);
+    $rauth->putAttribute(RADIUS_CALLING_STATION_ID, $callingstationid);
+
+    // Send request
+    $result = $rauth->send();
+
+    // Evaluation of the response
+    // 1 -> Access-Request => We will use this value as an error indicator since we can't get a 1 back from the radius
+    // 2 -> Access-Accept
+    // 3 -> Access-Reject
+    // See RFC2865 for this.
+    if (PEAR::isError($result)) {
+        $retvalue['auth_val'] = 1;
+        $retvalue['error'] = $result->getMessage();
+        if ($debug)
+            printf("Radius send failed: %s<br>\n", $retvalue['error']);
+    } else if ($result === true) {
+        $retvalue['auth_val'] = 2;
+        if ($debug)
+            printf("Radius Auth succeeded<br>\n");
+    } else {
+        $retvalue['auth_val'] = 3;
+        if ($debug)
+            printf("Radius Auth rejected<br>\n");
+    }
+
+    // Get attributes, even if auth failed.
+    // We will push the results in the retvalue array
+    if (!$rauth->getAttributes()) {
+        $retvalue['error'] = $rauth->getError();
+        if ($debug)
+            printf("Radius getAttributes: No attributes<br>\n", $retvalue['error']);
+    } else {
+        $retvalue = array_merge($retvalue,$rauth->listAttributes());
+        if ($debug) {
+            if (!$rauth->listAttributes())
+                printf("No Attributes<br>\n");
+            else
+            print_r($rauth->listAttributes());
+        }
+        // We convert the session_terminate_time to unixtimestamp if its set before returning the whole array to our caller
+        if (!empty($retvalue['session_terminate_time'])) {
+        $stt = &$retvalue['session_terminate_time'];
+        $stt = strtotime(preg_replace("/\+(\d+):(\d+)$/", " +\${1}\${2}", preg_replace("/(\d+)T(\d+)/", "\${1} \${2}",$stt)));
+         }
+    }
+
+    // close OO RADIUS_AUTHENTICATION
+    $rauth->close();
+
+    return $retvalue;
+
 }
 
-?>
+?>
\ No newline at end of file
diff --git a/usr/local/etc/php.ini b/usr/local/etc/php.ini
index 5ed6686..91802b5 100644
--- a/usr/local/etc/php.ini
+++ b/usr/local/etc/php.ini
@@ -13,4 +13,5 @@ include_path = ".:/etc/inc:/usr/local/www:/usr/local/captiveportal:/usr/local/pk
 apc.enabled="1"
 apc.enable_cli="1"
 apc.shm_size="30"
-extension=apc.so
\ No newline at end of file
+extension=apc.so
+extension=radius.so
diff --git a/usr/local/lib/php.ini b/usr/local/lib/php.ini
index 3068a86..95a507d 100644
--- a/usr/local/lib/php.ini
+++ b/usr/local/lib/php.ini
@@ -14,3 +14,4 @@ apc.enabled="1"
 apc.enable_cli="1"
 apc.shm_size="30"
 extension=apc.so
+extension=radius.so
\ No newline at end of file
diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php
index 05d6ebb..5ab3d75 100755
--- a/usr/local/www/services_captiveportal.php
+++ b/usr/local/www/services_captiveportal.php
@@ -211,8 +211,8 @@ function enable_change(enable_change) {
 	document.iform.radiusport2.disabled = radius_endis;
 	document.iform.radiuskey.disabled = radius_endis;
 	document.iform.radiuskey2.disabled = radius_endis;
-	//document.iform.radacct_enable.disabled = radius_endis;
-	//document.iform.reauthenticate.disabled = radius_endis;
+	document.iform.radacct_enable.disabled = radius_endis;
+	document.iform.reauthenticate.disabled = radius_endis;
 	document.iform.auth_method[0].disabled = endis;
 	document.iform.auth_method[1].disabled = endis;
 	document.iform.auth_method[2].disabled = endis;
@@ -229,14 +229,14 @@ function enable_change(enable_change) {
 	document.iform.htmlfile.disabled = endis;
 	document.iform.errfile.disabled = endis;
 
-	//document.iform.radiusacctport.disabled = (radius_endis || !document.iform.radacct_enable.checked) && !enable_change;
+	document.iform.radiusacctport.disabled = (radius_endis || !document.iform.radacct_enable.checked) && !enable_change;
 
-	document.iform.radmac_secret.disabled = (radius_endis || !document.iform.radmac_enable.checked) && !enable_change;
+	document.iform.radmac_secret.disabled = (radius_endis || !document.iform.radmac_enable.checked) && !enable_change;
 
 	var reauthenticate_dis = (radius_endis || !document.iform.reauthenticate.checked) && !enable_change;
-	//document.iform.reauthenticateacct[0].disabled = reauthenticate_dis;
-	//document.iform.reauthenticateacct[1].disabled = reauthenticate_dis;
-	//document.iform.reauthenticateacct[2].disabled = reauthenticate_dis;
+	document.iform.reauthenticateacct[0].disabled = reauthenticate_dis;
+	document.iform.reauthenticateacct[1].disabled = reauthenticate_dis;
+	document.iform.reauthenticateacct[2].disabled = reauthenticate_dis;
 }
 //-->
 </script>
@@ -387,7 +387,44 @@ to access after they've authenticated.</td>
 			<tr>
 			  <td colspan="2" class="list" height="12"></td>
 			</tr>
-
+			<tr>
+				<td colspan="2" valign="top" class="optsect_t2">Accounting</td>
+			</tr>
+			<tr>
+				<td class="vncell">&nbsp;</td>
+				<td class="vtable"><input name="radacct_enable" type="checkbox" id="radacct_enable" value="yes" onClick="enable_change(false)" <?php if($pconfig['radacct_enable']) echo "checked"; ?>>
+				<strong>send RADIUS accounting packets</strong><br>
+				If this is enabled, RADIUS accounting packets will be sent to the primary RADIUS server.</td>
+			</tr>
+			<tr>
+			  <td class="vncell" valign="top">Accounting port</td>
+			  <td class="vtable"><input name="radiusacctport" type="text" class="formfld" id="radiusacctport" size="5" value="<?=htmlspecialchars($pconfig['radiusacctport']);?>"><br>
+			  Leave blank to use the default port (1813).</td>
+			  </tr>
+			<tr>
+			  <td colspan="2" class="list" height="12"></td>
+			</tr>
+			<tr>
+				<td colspan="2" valign="top" class="optsect_t2">Reauthentication</td>
+			</tr>
+			<tr>
+				<td class="vncell">&nbsp;</td>
+				<td class="vtable"><input name="reauthenticate" type="checkbox" id="reauthenticate" value="yes" onClick="enable_change(false)" <?php if($pconfig['reauthenticate']) echo "checked"; ?>>
+			  <strong>Reauthenticate connected users every minute</strong><br>
+			  If reauthentication is enabled, Access-Requests will be sent to the RADIUS server for each user that is
+			  logged in every minute. If an Access-Reject is received for a user, that user is disconnected from the captive portal immediately.</td>
+			</tr>
+			<tr>
+			  <td class="vncell" valign="top">Accounting updates</td>
+			  <td class="vtable">
+			  <input name="reauthenticateacct" type="radio" value="" <?php if(!$pconfig['reauthenticateacct']) echo "checked"; ?>> no accounting updates<br>
+			  <input name="reauthenticateacct" type="radio" value="stopstart" <?php if($pconfig['reauthenticateacct'] == "stopstart") echo "checked"; ?>> stop/start accounting<br>
+			  <input name="reauthenticateacct" type="radio" value="interimupdate" <?php if($pconfig['reauthenticateacct'] == "interimupdate") echo "checked"; ?>> interim update
+			  </td>
+			</tr>
+			<tr>
+			  <td colspan="2" class="list" height="12"></td>
+			</tr>
 			<tr>
 				<td colspan="2" valign="top" class="optsect_t2">RADIUS MAC authentication</td>
 			</tr>