private function _sendPOD($session) { $nas = $session[0]['nas']; $username = $session[0]['login']; $session_id = str_replace('sid_', '', $session[0]['id']); $radport = 3799; $sharedsecret = 'brascoa'; $res = radius_acct_open(); radius_add_server($res, $nas, $radport, $sharedsecret, 3, 1); radius_create_request($res, RADIUS_DISCONNECT_REQUEST); // radius_put_string($res, RADIUS_NAS_IP_ADDRESS, 0); radius_put_string($res, RADIUS_USER_NAME, $username); radius_put_string($res, RADIUS_ACCT_SESSION_ID, $session_id); $reply = radius_send_request($res); switch ($reply) { case RADIUS_COA_ACK: case RADIUS_DISCONNECT_ACK: $result = "CoA-ACK\n"; break; case RADIUS_COA_NAK: case RADIUS_DISCONNECT_NAK: $result = "CoA-NAK\n"; break; default: return "Unsupported reply\n"; } while ($resa = radius_get_attr($res)) { $data = $resa['data']; $value = radius_cvt_int($data); switch ($value) { case 401: $result = "Unsupported Attribute\n"; break; case 402: $result = "Missing Attribute\n"; break; case 403: $result = "NAS Identification mismatch [{$nas}]\n"; break; case 404: $result = "Invalid Request\n"; break; case 503: $result = "Session context not found\n"; break; case 506: $result = "Resources unavailable\n"; break; default: $result = "Unsupported Error-Cause\n"; } } radius_close($res); return $result; }
function radiusAuthGetAttributes(&$r_obj) { while ($attrib = radius_get_attr($r_obj->res)) { if (!is_array($attrib)) { return false; } $attr = $attrib['attr']; $data = $attrib['data']; $r_obj->rawAttributes[] = array("attr" => $attr, "data" => $data); switch ($attr) { case RADIUS_VENDOR_SPECIFIC: $vavp = radius_get_vendor_attr($data); if ($vavp['vendor'] == RADIUS_SER_VENDOR) { if ($vavp['attr'] == RADIUS_SER_UID) { $r_obj->attributes['ser-attrs']['uid'] = $vavp['data']; } } break; } } return true; }
if (!radius_add_server($radius, $config->getValue('auth.radius.hostname'), $config->getValue('auth.radius.port'), $config->getValue('auth.radius.secret'), 5, 3)) { SimpleSAML_Logger::critical('AUTH - radius: Problem occurred when connecting to Radius server: ' . radius_strerror($radius)); throw new Exception('Problem occurred when connecting to Radius server: ' . radius_strerror($radius)); } if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { SimpleSAML_Logger::critical('AUTH - radius: Problem occurred when creating the Radius request: ' . radius_strerror($radius)); throw new Exception('Problem occurred when creating the Radius request: ' . radius_strerror($radius)); } radius_put_attr($radius, RADIUS_USER_NAME, $_POST['username']); radius_put_attr($radius, RADIUS_USER_PASSWORD, $_POST['password']); switch (radius_send_request($radius)) { case RADIUS_ACCESS_ACCEPT: // GOOD Login :) $attributes = array($config->getValue('auth.radius.URNForUsername') => array($_POST['username'])); // get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA while ($resa = radius_get_attr($radius)) { if (!is_array($resa)) { printf("Error getting attribute: %s\n", radius_strerror($res)); exit; } if ($resa['attr'] == RADIUS_VENDOR_SPECIFIC) { $resv = radius_get_vendor_attr($resa['data']); if (is_array($resv)) { $vendor = $resv['vendor']; $attrv = $resv['attr']; $datav = $resv['data']; /** * Uncomment this to debug vendor attributes. */ // printf("Got Vendor Attr:%d %d Bytes %s<br/>", $attrv, strlen($datav), bin2hex($datav)); if ($vendor == $config->getValue('auth.radius.vendor') && $attrv == $config->getValue('auth.radius.vendor-attr')) {
/** * Attempt to log in using the given username and password. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the user's attributes. */ protected function login($username, $password) { assert('is_string($username)'); assert('is_string($password)'); $radius = radius_auth_open(); /* Try to add all radius servers, trigger a failure if no one works. */ $success = false; foreach ($this->servers as $server) { if (!isset($server['port'])) { $server['port'] = 1812; } if (!radius_add_server($radius, $server['hostname'], $server['port'], $server['secret'], $this->timeout, $this->retries)) { SimpleSAML\Logger::info("Could not add radius server: " . radius_strerror($radius)); continue; } $success = true; } if (!$success) { throw new Exception('Error adding radius servers, no servers available'); } if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { throw new Exception('Error creating radius request: ' . radius_strerror($radius)); } if ($this->realm === null) { radius_put_attr($radius, RADIUS_USER_NAME, $username); } else { radius_put_attr($radius, RADIUS_USER_NAME, $username . '@' . $this->realm); } radius_put_attr($radius, RADIUS_USER_PASSWORD, $password); if ($this->nasIdentifier !== null) { radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier); } $res = radius_send_request($radius); if ($res != RADIUS_ACCESS_ACCEPT) { switch ($res) { case RADIUS_ACCESS_REJECT: /* Invalid username or password. */ throw new SimpleSAML_Error_Error('WRONGUSERPASS'); case RADIUS_ACCESS_CHALLENGE: throw new Exception('Radius authentication error: Challenge requested, but not supported.'); default: throw new Exception('Error during radius authentication: ' . radius_strerror($radius)); } } /* If we get this far, we have a valid login. */ $attributes = array(); if ($this->usernameAttribute !== null) { $attributes[$this->usernameAttribute] = array($username); } if ($this->vendor === null) { /* * We aren't interested in any vendor-specific attributes. We are * therefore done now. */ return $attributes; } /* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */ while ($resa = radius_get_attr($radius)) { if (!is_array($resa)) { throw new Exception('Error getting radius attributes: ' . radius_strerror($radius)); } /* Use the received user name */ if ($resa['attr'] == RADIUS_USER_NAME) { $attributes[$this->usernameAttribute] = array($resa['data']); continue; } if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) { continue; } $resv = radius_get_vendor_attr($resa['data']); if (!is_array($resv)) { throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius)); } $vendor = $resv['vendor']; $attrv = $resv['attr']; $datav = $resv['data']; if ($vendor != $this->vendor || $attrv != $this->vendorType) { continue; } $attrib_name = strtok($datav, '='); $attrib_value = strtok('='); /* if the attribute name is already in result set, add another value */ if (array_key_exists($attrib_name, $attributes)) { $attributes[$attrib_name][] = $attrib_value; } else { $attributes[$attrib_name] = array($attrib_value); } } /* end of contribution */ return $attributes; }
/** * Reads all received attributes after sending the request. * * This methods stores known attributes in the property attributes, * all attributes (including known attibutes) are stored in rawAttributes * or rawVendorAttributes. * NOTE: call this function also even if the request was rejected, because the * Server returns usualy an errormessage * * @access public * @return bool true on success, false on error */ function getAttributes() { while ($attrib = radius_get_attr($this->res)) { if (!is_array($attrib)) { return false; } $attr = $attrib['attr']; $data = $attrib['data']; $this->rawAttributes[$attr] = $data; switch ($attr) { case RADIUS_FRAMED_IP_ADDRESS: $this->attributes['framed_ip'] = radius_cvt_addr($data); break; case RADIUS_FRAMED_IP_NETMASK: $this->attributes['framed_mask'] = radius_cvt_addr($data); break; case RADIUS_FRAMED_MTU: $this->attributes['framed_mtu'] = radius_cvt_int($data); break; case RADIUS_FRAMED_COMPRESSION: $this->attributes['framed_compression'] = radius_cvt_int($data); break; case RADIUS_SESSION_TIMEOUT: $this->attributes['session_timeout'] = radius_cvt_int($data); break; case RADIUS_IDLE_TIMEOUT: $this->attributes['idle_timeout'] = radius_cvt_int($data); break; case RADIUS_SERVICE_TYPE: $this->attributes['service_type'] = radius_cvt_int($data); break; case RADIUS_CLASS: $this->attributes['class'] = radius_cvt_string($data); break; case RADIUS_FRAMED_PROTOCOL: $this->attributes['framed_protocol'] = radius_cvt_int($data); break; case RADIUS_FRAMED_ROUTING: $this->attributes['framed_routing'] = radius_cvt_int($data); break; case RADIUS_FILTER_ID: $this->attributes['filter_id'] = radius_cvt_string($data); break; case RADIUS_REPLY_MESSAGE: $this->attributes['reply_message'] = radius_cvt_string($data); break; case RADIUS_VENDOR_SPECIFIC: $attribv = radius_get_vendor_attr($data); if (!is_array($attribv)) { return false; } $vendor = $attribv['vendor']; $attrv = $attribv['attr']; $datav = $attribv['data']; $this->rawVendorAttributes[$vendor][$attrv] = $datav; if ($vendor == RADIUS_VENDOR_MICROSOFT) { switch ($attrv) { case RADIUS_MICROSOFT_MS_CHAP2_SUCCESS: $this->attributes['ms_chap2_success'] = radius_cvt_string($datav); break; case RADIUS_MICROSOFT_MS_CHAP_ERROR: $this->attributes['ms_chap_error'] = radius_cvt_string(substr($datav, 1)); break; case RADIUS_MICROSOFT_MS_CHAP_DOMAIN: $this->attributes['ms_chap_domain'] = radius_cvt_string($datav); break; case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY: $this->attributes['ms_mppe_encryption_policy'] = radius_cvt_int($datav); break; case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES: $this->attributes['ms_mppe_encryption_types'] = radius_cvt_int($datav); break; case RADIUS_MICROSOFT_MS_CHAP_MPPE_KEYS: $demangled = radius_demangle($this->res, $datav); $this->attributes['ms_chap_mppe_lm_key'] = substr($demangled, 0, 8); $this->attributes['ms_chap_mppe_nt_key'] = substr($demangled, 8, RADIUS_MPPE_KEY_LEN); break; case RADIUS_MICROSOFT_MS_MPPE_SEND_KEY: $this->attributes['ms_chap_mppe_send_key'] = radius_demangle_mppe_key($this->res, $datav); break; case RADIUS_MICROSOFT_MS_MPPE_RECV_KEY: $this->attributes['ms_chap_mppe_recv_key'] = radius_demangle_mppe_key($this->res, $datav); break; case RADIUS_MICROSOFT_MS_PRIMARY_DNS_SERVER: $this->attributes['ms_primary_dns_server'] = radius_cvt_string($datav); break; } } break; } } return true; }
/** * Validate login credentials * * @param string $uname - The user name requesting access * @param string $pass - Password to use (usually plain text) * @param pointer &$newvals - pointer to array to accept other data read from database * @param boolean $connect_only - TRUE to simply connect to the server * * @return integer result (AUTH_xxxx) * * On a successful login, &$newvals array is filled with the requested data from the server */ function login($uname, $pass, &$newvals, $connect_only = FALSE) { // Create authentification request if (!radius_create_request($this->connection, RADIUS_ACCESS_REQUEST)) { $this->makeErrorText('RADIUS failed authentification request: '); return AUTH_NOCONNECT; } if (trim($pass) == '') { return AUTH_BADPASSWORD; } // Pick up a blank password - always expect one // Attach username and password if (!radius_put_attr($this->connection, RADIUS_USER_NAME, $uname) || !radius_put_attr($this->connection, RADIUS_USER_PASSWORD, $pass)) { $this->makeErrorText('RADIUS could not attach username/password: '******'CHAP not supported'); return AUTH_NOUSER; case RADIUS_ACCESS_REJECT: // Specifically rejected // Specifically rejected default: // Catch-all $this->makeErrorText('RADIUS validation error: '); return AUTH_NOUSER; } // User accepted here. if ($connect_only) { return AUTH_SUCCESS; } return AUTH_SUCCESS; // Not interested in any attributes returned ATM, so done. // See if we get any attributes - not really any use to us unless we implement CHAP, so disabled ATM $attribs = array(); while ($resa = radius_get_attr($this->connection)) { if (!is_array($resa)) { $this->makeErrorText("Error getting attribute: "); exit; } // Decode attribute according to type (this isn't an exhaustive list) // Codes: 2, 3, 4, 5, 30, 31, 32, 60, 61 should never be received by us // Codes 17, 21 not assigned switch ($resa['attr']) { case 8: // IP address to be set (255.255.255.254 indicates 'allocate your own address') // IP address to be set (255.255.255.254 indicates 'allocate your own address') case 9: // Subnet mask // Subnet mask case 14: // Login-IP host $attribs[$resa['attr']] = radius_cvt_addr($resa['data']); break; case 6: // Service type (integer bitmap) // Service type (integer bitmap) case 7: // Protocol (integer bitmap) // Protocol (integer bitmap) case 10: // Routing method (integer) // Routing method (integer) case 12: // Framed MTU // Framed MTU case 13: // Compression method // Compression method case 15: // Login service (bitmap) // Login service (bitmap) case 16: // Login TCP port // Login TCP port case 23: // Framed IPX network (0xFFFFFFFE indicates 'allocate your own') // Framed IPX network (0xFFFFFFFE indicates 'allocate your own') case 27: // Session timeout - maximum connection/login time in seconds // Session timeout - maximum connection/login time in seconds case 28: // Idle timeout in seconds // Idle timeout in seconds case 29: // Termination action // Termination action case 37: // AppleTalk link number // AppleTalk link number case 38: // AppleTalk network // AppleTalk network case 62: // Max ports // Max ports case 63: // Login LAT port $attribs[$resa['attr']] = radius_cvt_int($resa['data']); break; case 1: // User name // User name case 11: // Filter ID - could get several of these // Filter ID - could get several of these case 18: // Reply message (text, various purposes) // Reply message (text, various purposes) case 19: // Callback number // Callback number case 20: // Callback ID // Callback ID case 22: // Framed route - could get several of these // Framed route - could get several of these case 24: // State - used in CHAP // State - used in CHAP case 25: // Class // Class case 26: // Vendor-specific // Vendor-specific case 33: // Proxy State // Proxy State case 34: // Login LAT service // Login LAT service case 35: // Login LAT node // Login LAT node case 36: // Login LAT group // Login LAT group case 39: // AppleTalk zone // AppleTalk zone default: $attribs[$resa['attr']] = radius_cvt_string($resa['data']); // Default to string type } printf("Got Attr: %d => %d Bytes %s\n", $resa['attr'], strlen($attribs[$resa['attr']]), $attribs[$resa['attr']]); } return AUTH_SUCCESS; }
/** * This is the main authentication function of the plugin. Given both the * username and password it will make use of the options set to authenticate * against the configured RADIUS servers. */ function checkLogin($user, $username, $password) { if (is_a($user, 'WP_User')) { return $user; } if (empty($username)) { return self::wp_error('empty_username', __('The username field is empty.')); } if (empty($password)) { return self::wp_error('empty_password', __('The password field is empty.')); } $opts = TwoFactorRadiusAuth::getOptions(); // skip radius for user if (@array_search($username, $opts['skip_users']) !== false) { return; } remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3); $userdata = get_user_by('login', $username); if (!$userdata) { return self::wp_error('invalid_username', __('Invalid username.')); } if (is_multisite()) { // Is user marked as spam? if (1 == $userdata->spam) { return self::wp_error('invalid_username', __('Your account has been marked as a spammer.')); } // Is a user's blog marked as spam? if (!is_super_admin($userdata->ID) && isset($userdata->primary_blog)) { $details = get_blog_details($userdata->primary_blog); if (is_object($details) && $details->spam == 1) { return self::wp_error('blog_suspended', __('Site Suspended.')); } } } $OTP = trim($_POST['otp']); $radiuspass = $password; if (!empty($OTP)) { $radiuspass = $password . $opts['pwd_otp_sep'] . $OTP; } if (!function_exists('radius_auth_open')) { return self::wp_error('missing_php_radius', 'Missing php-radius'); } if (!TwoFactorRadiusAuth::isConfigured()) { return self::wp_error('missing_plugin_settings', __('Missing auth server settings')); } $reply_message = ''; try { $rad = radius_auth_open(); if (!radius_add_server($rad, $opts['s1_host'], $opts['s1_port'], $opts['s1_secr'], $opts['timeout'], $opts['max_tries'])) { throw new Exception(radius_strerror($rad)); } if (!empty($opts['s2_host']) && !empty($opts['s2_port']) && !empty($opts['s2_secr'])) { if (!radius_add_server($rad, $opts['s2_host'], $opts['s2_port'], $opts['s2_secr'], $opts['timeout'], $opts['max_tries'])) { throw new Exception(radius_strerror($rad)); } } if (!radius_create_request($rad, RADIUS_ACCESS_REQUEST)) { throw new Exception(radius_strerror($rad)); } if (!radius_put_string($rad, RADIUS_NAS_IDENTIFIER, '1')) { throw new Exception(radius_strerror($rad)); } if (!radius_put_int($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { throw new Exception(radius_strerror($rad)); } if (!radius_put_int($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) { throw new Exception(radius_strerror($rad)); } $station = isset($REMOTE_HOST) ? $REMOTE_HOST : '127.0.0.1'; if (!radius_put_string($rad, RADIUS_CALLING_STATION_ID, $station) == -1) { throw new Exception(radius_strerror($rad)); } if (!radius_put_string($rad, RADIUS_USER_NAME, $username)) { throw new Exception(radius_strerror($rad)); } if (!radius_put_string($rad, RADIUS_USER_PASSWORD, $radiuspass)) { throw new Exception(radius_strerror($rad)); } if (!radius_put_int($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { throw new Exception(radius_strerror($rad)); } if (!radius_put_int($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) { throw new Exception(radius_strerror($rad)); } $res = radius_send_request($rad); if (!$res) { throw new Exception(radius_strerror($rad)); } while ($rattr = radius_get_attr($rad)) { if ($rattr['attr'] == 18) { $reply_message = $rattr['data']; break; } } } catch (Exception $exp) { return self::wp_error('radius_error', $exp->getMessage()); } switch ($res) { case RADIUS_ACCESS_ACCEPT: $userdata->user_pass = wp_hash_password($password); return new WP_User($userdata->ID); break; case RADIUS_ACCESS_REJECT: switch ($reply_message) { case 'LDAP USER NOT FOUND': if ($opts['use_wp_auth'] == 'on') { add_filter('authenticate', 'wp_authenticate_username_password', 10, 3); return null; } else { return self::wp_error('invalid_username', __('Unknown user')); } case 'INVALID OTP': default: return self::wp_error('incorrect_password', __('Wrong password/OTP')); } break; default: return self::wp_error('denied', __('Unknown error')); } }
/** * Attempt to log in using the given username and password. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the users attributes. */ protected function login($username, $password) { assert('is_string($username)'); assert('is_string($password)'); $radius = radius_auth_open(); if (!radius_add_server($radius, $this->hostname, $this->port, $this->secret, $this->timeout, $this->retries)) { throw new Exception('Error connecting to radius server: ' . radius_strerror($radius)); } if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { throw new Exception('Error creating radius request: ' . radius_strerror($radius)); } radius_put_attr($radius, RADIUS_USER_NAME, $username); radius_put_attr($radius, RADIUS_USER_PASSWORD, $password); if ($this->nasIdentifier != NULL) { radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier); } $res = radius_send_request($radius); if ($res != RADIUS_ACCESS_ACCEPT) { switch ($res) { case RADIUS_ACCESS_REJECT: /* Invalid username or password. */ throw new SimpleSAML_Error_Error('WRONGUSERPASS'); case RADIUS_ACCESS_CHALLENGE: throw new Exception('Radius authentication error: Challenge requested, but not supported.'); default: throw new Exception('Error during radius authentication: ' . radius_strerror($radius)); } } /* If we get this far, we have a valid login. */ $attributes = array(); if ($this->usernameAttribute !== NULL) { $attributes[$this->usernameAttribute] = array($username); } if ($this->vendor === NULL) { /* * We aren't interrested in any vendor-specific attributes. We are * therefore done now. */ return $attributes; } /* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */ while ($resa = radius_get_attr($radius)) { if (!is_array($resa)) { throw new Exception('Error getting radius attributes: ' . radius_strerror($radius)); } if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) { continue; } $resv = radius_get_vendor_attr($resa['data']); if (!is_array($resv)) { throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius)); } $vendor = $resv['vendor']; $attrv = $resv['attr']; $datav = $resv['data']; /* * Uncomment this to debug vendor attributes. */ //printf("Got Vendor Attr:%d %d Bytes %s<br/>", $attrv, strlen($datav), bin2hex($datav)); if ($vendor != $this->vendor || $attrv != $this->vendorType) { continue; } $attrib_name = strtok($datav, '='); $attrib_value = strtok('='); /* if the attribute name is already in result set, add another value */ if (array_key_exists($attrib_name, $attributes)) { $attributes[$attrib_name][] = $attrib_value; } else { $attributes[$attrib_name] = array($attrib_value); } } /* end of contribution */ return $attributes; }
/** * Retrieve user auth level for specified user. * * @param string $username Username to retrieve the auth level for * @return int User's auth level */ function radius_auth_user_level($username) { global $config, $rad, $cache; $rad_userlevel = 0; if (isset($config['auth_radius_groups'])) { // If groups set, try to search group attribute and set user level if (!isset($cache['radius']['level'][$username])) { if ($config['auth_radius_groupmemberattr'] == 18 || strtolower($config['auth_radius_groupmemberattr']) == 'reply-message') { // Reply-Message (18) $attribute = RADIUS_REPLY_MESSAGE; } else { // Filter-Id (11) $attribute = RADIUS_FILTER_ID; } $rad_groups = array(); while ($rad_attr = radius_get_attr($rad)) { if ($rad_attr['attr'] == $attribute) { $rad_groups[] = radius_cvt_string($rad_attr['data']); //r($rad_attr); //break; } } //r($rad_groups); foreach ($rad_groups as $rad_group) { if (isset($config['auth_radius_groups'][$rad_group]) && $config['auth_radius_groups'][$rad_group]['level'] > $rad_userlevel) { $rad_userlevel = intval($config['auth_radius_groups'][$rad_group]['level']); } } $cache['radius']['level'][$username] = $rad_userlevel; } else { $rad_userlevel = $cache['radius']['level'][$username]; } } else { // Old non-groups, by default always user level 10 if (strlen($username) > 0) { $rad_userlevel = 10; } } //r($rad_userlevel); return $rad_userlevel; }
/** * authenticate user against radius * @param $username username to authenticate * @param $password user password * @return bool authentication status */ public function authenticate($username, $password) { $this->lastAuthProperties = array(); // reset auth properties $radius = radius_auth_open(); $error = null; if (!radius_add_server($radius, $this->radiusHost, $this->authPort, $this->sharedSecret, $this->timeout, $this->maxRetries)) { $error = radius_strerror($radius); } elseif (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { $error = radius_strerror($radius); } elseif (!radius_put_string($radius, RADIUS_USER_NAME, $username)) { $error = radius_strerror($radius); } elseif (!radius_put_int($radius, RADIUS_SERVICE_TYPE, RADIUS_LOGIN)) { $error = radius_strerror($radius); } elseif (!radius_put_int($radius, RADIUS_FRAMED_PROTOCOL, RADIUS_ETHERNET)) { $error = radius_strerror($radius); } elseif (!radius_put_string($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier)) { $error = radius_strerror($radius); } elseif (!radius_put_int($radius, RADIUS_NAS_PORT, 0)) { $error = radius_strerror($radius); } elseif (!radius_put_int($radius, RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET)) { $error = radius_strerror($radius); } else { // Implement extra protocols in this section. switch ($this->protocol) { case 'PAP': // do PAP authentication if (!radius_put_string($radius, RADIUS_USER_PASSWORD, $password)) { $error = radius_strerror($radius); } break; default: syslog(LOG_ERR, 'Unsupported protocol ' . $this->protocol); return false; } } // log errors and perform actual authentication request if ($error != null) { syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error)); } else { $request = radius_send_request($radius); if (!$radius) { syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error)); } else { switch ($request) { case RADIUS_ACCESS_ACCEPT: while ($resa = radius_get_attr($radius)) { switch ($resa['attr']) { case RADIUS_SESSION_TIMEOUT: $this->lastAuthProperties['session_timeout'] = radius_cvt_int($resa['data']); break; case 85: // Acct-Interim-Interval $this->lastAuthProperties['Acct-Interim-Interval'] = radius_cvt_int($resa['data']); break; default: break; } } return true; break; case RADIUS_ACCESS_REJECT: return false; break; default: // unexpected result, log syslog(LOG_ERR, 'Radius unexpected response:' . $request); } } } return false; }