diff options
-rwxr-xr-x | usr/local/captiveportal/index.php | 30 | ||||
-rw-r--r-- | usr/local/captiveportal/radius_accounting.inc | 43 | ||||
-rw-r--r-- | usr/local/captiveportal/radius_authentication.inc | 4 |
3 files changed, 58 insertions, 19 deletions
diff --git a/usr/local/captiveportal/index.php b/usr/local/captiveportal/index.php index 497e506..dcff86f 100755 --- a/usr/local/captiveportal/index.php +++ b/usr/local/captiveportal/index.php @@ -44,6 +44,7 @@ $orig_host = $_ENV['HTTP_HOST']; $orig_request = $_ENV['CAPTIVE_REQPATH']; $lockfile = "{$g['varrun_path']}/captiveportal.lock"; $clientip = $_ENV['REMOTE_ADDR']; +$portalip = $_ENV['SERVER_ADDR']; if (!$clientip) { /* not good - bail out */ @@ -57,6 +58,10 @@ if (!$clientmac && !isset($config['captiveportal']['nomacfilter'])) { exit; } +/* find MAC address for portal */ +$iflist = get_interface_list(); +$portalmac = $iflist[ $config['interfaces'][$config['captiveportal']['interface']]['if'] ]['mac']; + if ($clientmac && portal_mac_fixed($clientmac)) { /* punch hole in ipfw for pass thru mac addresses */ portal_allow($clientip, $clientmac, "unauthenticated"); @@ -66,9 +71,16 @@ if ($clientmac && portal_mac_fixed($clientmac)) { /* authenticate against radius server */ $radiusservers = captiveportal_get_radius_servers(); + /* determine port type */ + $port_type = 15; // default to ethernet + if ($config['interfaces'][ $config['captiveportal']['interface'] ]['wireless']) { + $port_type = 19; // wireless + } + if ($_POST['auth_user'] && $_POST['auth_pass']) { $auth_val = RADIUS_AUTHENTICATION($_POST['auth_user'], $_POST['auth_pass'], + $port_type, $radiusservers[0]['ipaddr'], $radiusservers[0]['port'], $radiusservers[0]['key']); @@ -77,6 +89,10 @@ if ($clientmac && portal_mac_fixed($clientmac)) { if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { $auth_val = RADIUS_ACCOUNTING_START($_POST['auth_user'], $sessionid, + $port_type, + $clientmac, + $clientip, + $portalmac, $radiusservers[0]['ipaddr'], $radiusservers[0]['acctport'], $radiusservers[0]['key']); @@ -203,10 +219,16 @@ function portal_allow($clientip,$clientmac,$clientuser) { for ($i = 0; $i < count($cpdb); $i++) { if(!strcasecmp($cpdb[$i][2],$clientip)) { if(isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { + $port_type = 15; // default to ethernet + if (isset($config['interfaces'][ $config['captiveportal']['interface'] ]['wireless'])) { + $port_type = 19; // wireless + } + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno $cpdb[$i][4], // username $cpdb[$i][5], // sessionid $cpdb[$i][0], // start time + $port_type, $radiusservers[0]['ipaddr'], $radiusservers[0]['acctport'], $radiusservers[0]['key']); @@ -379,10 +401,18 @@ function disconnect_client($sessionid) { if ($cpdb[$i][5] == $sessionid) { /* this client needs to be deleted - remove ipfw rules */ if(isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { + + /* determine port type */ + $port_type = 15; // default to ethernet + if ($config['interfaces'][ $config['captiveportal']['interface'] ]['wireless']) { + $port_type = 19; // wireless + } + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno $cpdb[$i][4], // username $cpdb[$i][5], // sessionid $cpdb[$i][0], // start time + $port_type, $radiusservers[0]['ipaddr'], $radiusservers[0]['acctport'], $radiusservers[0]['key']); diff --git a/usr/local/captiveportal/radius_accounting.inc b/usr/local/captiveportal/radius_accounting.inc index 7004971..398af92 100644 --- a/usr/local/captiveportal/radius_accounting.inc +++ b/usr/local/captiveportal/radius_accounting.inc @@ -29,7 +29,7 @@ */ -function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$radiuskey) { +function RADIUS_ACCOUNTING_START($username,$sessionid,$port_type,$stationid,$ipaddr,$portalmac,$radiusip,$radiusport,$radiuskey) { $sharedsecret=$radiuskey ; # $debug = 1 ; @@ -58,45 +58,54 @@ function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$rad 6+ // nasPortType 6+ // Acct Status Type 6+ // Acct RADIUS Authenticated - 2+strlen($sessionid); // Acct SessionID + 2+strlen($sessionid)+ // Acct SessionID + 2+strlen($stationid)+ // Calling-Station-Id + 2+strlen($portalmac)+ // Called-Station-Id + 6; // Framed-IP-Address - // v v v v v v v v v 1 v - // Line # 1 2 3 4 5 6 7 8 9 0 E - $data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*", + // v v v v v v v v v 1 1 1 v + // Line # 1 2 3 4 5 6 7 8 9 0 1 2 E + $data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCa*CCa*CCN", 4,$thisidentifier,$length/256,$length%256, // header 0,0,0,0, // authcode 6,6,0,0,0,1, // service type 1,2+strlen($username),$username, // username 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier 5,6,0,0,0,0, // nasPort - 61,6,0,0,0,15, // nasPortType = Ethernet + 61,6,0,0,0,$port_type, // nasPortType 40,6,0,0,0,1, // Acct Status Type = Start 45,6,0,0,0,1, // Acct RADIUS Authenticated - 44,2+strlen($sessionid),$sessionid // Acct Session ID + 44,2+strlen($sessionid),$sessionid, // Acct Session ID + 31,2+strlen($stationid),$stationid, // Calling Station + 30,2+strlen($portalmac),$portalmac, // Called Station + 8,6,ip2long($ipaddr) // Framed-IP-Address ); /* Generate Accounting Request Authenticator */ $RA = md5($data.$radiuskey) ; - // v v v v v v v v v 1 v - // Line # 1 2 3 4 5 6 7 8 9 0 E - $data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*", + // v v v v v v v v v 1 1 1 v + // Line # 1 2 3 4 5 6 7 8 9 0 1 2 E + $data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCa*CCa*CCN", 4,$thisidentifier,$length/256,$length%256, // header $RA, // authcode 6,6,0,0,0,1, // service type 1,2+strlen($username),$username, // username 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier 5,6,0,0,0,0, // nasPort - 61,6,0,0,0,15, // nasPortType = Ethernet + 61,6,0,0,0,$port_type, // nasPortType 40,6,0,0,0,1, // Acct Status Type = Start 45,6,0,0,0,1, // Acct RADIUS Authenticated - 44,2+strlen($sessionid),$sessionid // Acct Session ID + 44,2+strlen($sessionid),$sessionid, // Acct Session ID + 31,2+strlen($stationid),$stationid, // Calling Station + 30,2+strlen($portalmac),$portalmac, // Called Station + 8,6,ip2long($ipaddr) // Framed-IP-Address ); if($debug) { echo "username is $username with len " . strlen($username) ."\n" ; echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ; - } + } $ret = fwrite($fd,$data) ; if( !$ret || ($ret != $length) ) @@ -119,13 +128,13 @@ function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$rad // See RFC2866 for this. } -function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey) { +function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$port_type,$radiusip,$radiusport,$radiuskey) { $sharedsecret=$radiuskey ; # $debug = 1 ; exec("/bin/hostname", $nasHostname) ; if(!$nasHostname[0]) - $nasHostname[0] = "quewall" ; + $nasHostname[0] = "m0n0wall" ; $input_pkts = $input_bytes = $output_pkts = $output_bytes = 0 ; @@ -177,7 +186,7 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius 1,2+strlen($username),$username, // username 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier 5,6,0,0,0,0, // nasPort - 61,6,0,0,0,15, // nasPortType = Ethernet + 61,6,0,0,0,$port_type, // nasPortType 40,6,0,0,0,2, // Acct Status Type = Stop 45,6,0,0,0,1, // Acct RADIUS Authenticated 44,2+strlen($sessionid),$sessionid, // Acct Session ID @@ -201,7 +210,7 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius 1,2+strlen($username),$username, // username 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier 5,6,0,0,0,0, // nasPort - 61,6,0,0,0,15, // nasPortType = Ethernet + 61,6,0,0,0,$port_type, // nasPortType 40,6,0,0,0,2, // Acct Status Type = Stop 45,6,0,0,0,1, // Acct RADIUS Authenticated 44,2+strlen($sessionid),$sessionid, // Acct Session ID diff --git a/usr/local/captiveportal/radius_authentication.inc b/usr/local/captiveportal/radius_authentication.inc index c106da3..10a2009 100644 --- a/usr/local/captiveportal/radius_authentication.inc +++ b/usr/local/captiveportal/radius_authentication.inc @@ -28,7 +28,7 @@ // was also fixed and patches submitted to Edwin. This bug would // have caused authentication to fail on every access. -function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiuskey) { +function RADIUS_AUTHENTICATION($username,$password,$port_type,$radiusip,$radiusport,$radiuskey) { $sharedsecret=$radiuskey ; # $debug = 1 ; @@ -74,7 +74,7 @@ function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radius 2,2+strlen($encryptedpassword),$encryptedpassword, // userpassword 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier 5,6,0,0,0,0, // nasPort - 61,6,0,0,0,15 // nasPortType = Ethernet + 61,6,0,0,0,$port_type // nasPortType ); if($debug) { |