Beispiel #1
1
 function login($username, $password)
 {
     $radius = radius_auth_open();
     if (!radius_add_server($radius, RADIUS_HOST, RADIUS_PORT, RADIUS_SECRET, RADIUS_TIMEOUT, RADIUS_MAXTRIES)) {
         die('Radius Error: ' . radius_strerror($radius));
     }
     if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
         die('Radius Error: ' . radius_strerror($radius));
     }
     radius_put_attr($radius, RADIUS_USER_NAME, $username);
     radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
     radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, RADIUS_IDENTIFIER);
     $response = radius_send_request($radius);
     if ($response == RADIUS_ACCESS_ACCEPT) {
         $_SESSION['loggedin'] = $username;
         $_SESSION['userlevel'] = RADIUS_USERLEVEL;
         //User level set in settings.php
         return true;
     } else {
         if ($response == RADIUS_ACCESS_CHALLENGE) {
             //Challenge
             return false;
         }
     }
     return false;
 }
Beispiel #2
0
 /**
  *	Retrieve and construct error strings
  */
 function makeErrorText($extra = '')
 {
     $this->ErrorText = $extra . radius_strerror($this->connection);
     if (!RADIUS_DEBUG) {
         return;
     }
     $text = "<br />Server: {$this->server}  Stored secret: " . radius_server_secret($this->connection) . "  Port: {$this->port}";
     $this->ErrorText .= $text;
 }
 public function checkPassword($login, $pass, $seed)
 {
     if (!extension_loaded('radius')) {
         AJXP_Logger::logAction("RADIUS: php radius extension is missing, please install it.");
         return false;
     }
     $res = radius_auth_open();
     $this->prepareRequest($res, $login, $pass, $seed);
     $req = radius_send_request($res);
     if (!$req) {
         AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not send request (" . radius_strerror($res) . ")");
         return false;
     }
     switch ($req) {
         case RADIUS_ACCESS_ACCEPT:
             AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: authentication for user \"" . $login . "\" successful");
             radius_close($res);
             return true;
         case RADIUS_ACCESS_REJECT:
             AJXP_Logger::logAction("RADIUS: authentication for user \"" . $login . "\" failed");
             break;
         default:
             AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: unknwon return value " . $req);
             break;
     }
     radius_close($res);
     return false;
 }
Beispiel #4
0
     $raderr = "Error while preparing RADIUS authentication: " . radius_strerror($radres);
 }
 foreach ($radsrv as $rs) {
     if (!radius_add_server($radres, $rs[0], $rs[1], $rs[2], $rs[3], $rs[4])) {
         echo "<h4>RADIUS: " . radius_strerror($radres) . "</h4>";
     }
 }
 if (!radius_create_request($radres, RADIUS_ACCESS_REQUEST)) {
     $raderr = "RADIUS create: " . radius_strerror($radres);
 }
 if (!(radius_put_string($radres, RADIUS_USER_NAME, $user) && radius_put_string($radres, RADIUS_USER_PASSWORD, $_POST['pass']) && radius_put_string($radres, RADIUS_CALLING_STATION_ID, $_SERVER['REMOTE_ADDR']) && radius_put_addr($radres, RADIUS_NAS_IP_ADDRESS, $_SERVER['SERVER_ADDR']))) {
     $raderr = "RADIUS put: " . radius_strerror($radres);
 }
 $radauth = radius_send_request($radres);
 if (!$radauth) {
     $raderr = "RADIUS send: " . radius_strerror($radres);
 } else {
     switch ($radauth) {
         case RADIUS_ACCESS_ACCEPT:
             $query = GenQuery('users', 's', '*', '', '', array('usrname'), array('='), array($user));
             $res = DbQuery($query, $link);
             $uok = DbNumRows($res);
             break;
         case RADIUS_ACCESS_REJECT:
             $raderr = "Incorrect RADIUS login!";
             break;
         case RADIUS_ACCESS_CHALLENGE:
             $raderr = "No RADIUS challenge handling yet!";
             break;
         default:
             $raderr = "Unknown RADIUS error!";
Beispiel #5
0
 /**
  * Attempt to log in using the given username and password.
  *
  * @param string $username  The username the user wrote.
  * @param string $password  The password the user wrote.
  * @return array  Associative array with the user's attributes.
  */
 protected function login($username, $password)
 {
     assert('is_string($username)');
     assert('is_string($password)');
     $radius = radius_auth_open();
     /* Try to add all radius servers, trigger a failure if no one works. */
     $success = false;
     foreach ($this->servers as $server) {
         if (!isset($server['port'])) {
             $server['port'] = 1812;
         }
         if (!radius_add_server($radius, $server['hostname'], $server['port'], $server['secret'], $this->timeout, $this->retries)) {
             SimpleSAML\Logger::info("Could not add radius server: " . radius_strerror($radius));
             continue;
         }
         $success = true;
     }
     if (!$success) {
         throw new Exception('Error adding radius servers, no servers available');
     }
     if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
         throw new Exception('Error creating radius request: ' . radius_strerror($radius));
     }
     if ($this->realm === null) {
         radius_put_attr($radius, RADIUS_USER_NAME, $username);
     } else {
         radius_put_attr($radius, RADIUS_USER_NAME, $username . '@' . $this->realm);
     }
     radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
     if ($this->nasIdentifier !== null) {
         radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier);
     }
     $res = radius_send_request($radius);
     if ($res != RADIUS_ACCESS_ACCEPT) {
         switch ($res) {
             case RADIUS_ACCESS_REJECT:
                 /* Invalid username or password. */
                 throw new SimpleSAML_Error_Error('WRONGUSERPASS');
             case RADIUS_ACCESS_CHALLENGE:
                 throw new Exception('Radius authentication error: Challenge requested, but not supported.');
             default:
                 throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
         }
     }
     /* If we get this far, we have a valid login. */
     $attributes = array();
     if ($this->usernameAttribute !== null) {
         $attributes[$this->usernameAttribute] = array($username);
     }
     if ($this->vendor === null) {
         /*
          * We aren't interested in any vendor-specific attributes. We are
          * therefore done now.
          */
         return $attributes;
     }
     /* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */
     while ($resa = radius_get_attr($radius)) {
         if (!is_array($resa)) {
             throw new Exception('Error getting radius attributes: ' . radius_strerror($radius));
         }
         /* Use the received user name */
         if ($resa['attr'] == RADIUS_USER_NAME) {
             $attributes[$this->usernameAttribute] = array($resa['data']);
             continue;
         }
         if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) {
             continue;
         }
         $resv = radius_get_vendor_attr($resa['data']);
         if (!is_array($resv)) {
             throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius));
         }
         $vendor = $resv['vendor'];
         $attrv = $resv['attr'];
         $datav = $resv['data'];
         if ($vendor != $this->vendor || $attrv != $this->vendorType) {
             continue;
         }
         $attrib_name = strtok($datav, '=');
         $attrib_value = strtok('=');
         /* if the attribute name is already in result set,
            add another value */
         if (array_key_exists($attrib_name, $attributes)) {
             $attributes[$attrib_name][] = $attrib_value;
         } else {
             $attributes[$attrib_name] = array($attrib_value);
         }
     }
     /* end of contribution */
     return $attributes;
 }
Beispiel #6
0
 /**
  * Autentica un usuario usando el adaptador
  *
  * @return boolean
  */
 public function authenticate()
 {
     $radius = radius_auth_open();
     if (!$radius) {
         throw new KumbiaException("No se pudo crear el autenticador de Radius");
     }
     if (!radius_add_server($radius, $this->server, $this->port, $this->secret, $this->timeout, $this->max_retries)) {
         throw new KumbiaException(radius_strerror($radius));
     }
     if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
         throw new KumbiaException(radius_strerror($radius));
     }
     if (!radius_put_string($radius, RADIUS_USER_NAME, $this->username)) {
         throw new KumbiaException(radius_strerror($radius));
     }
     if (!radius_put_string($radius, RADIUS_USER_PASSWORD, $this->password)) {
         throw new KumbiaException(radius_strerror($radius));
     }
     if (!radius_put_int($radius, RADIUS_AUTHENTICATE_ONLY, 1)) {
         throw new KumbiaException(radius_strerror($radius));
     }
     $this->resource = $radius;
     if (radius_send_request($radius) == RADIUS_ACCESS_ACCEPT) {
         return true;
     } else {
         return false;
     }
 }
Beispiel #7
0
 /**
  * Returns an error message, if an error occurred.
  *
  * @access public
  * @return string
  */
 function getError()
 {
     return radius_strerror($this->res);
 }
Beispiel #8
0
 function authExternalUser($login, $password)
 {
     $res = radius_auth_open();
     if (!radius_add_server($res, $this->config['radius_server'], $this->config['radius_port'], $this->config['sharedsecret'], 3, 3)) {
         debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
         return false;
     }
     if (!radius_create_request($res, RADIUS_ACCESS_REQUEST)) {
         debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
         return false;
     }
     if (!radius_put_string($res, RADIUS_NAS_IDENTIFIER, isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost')) {
         debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
         return false;
     }
     if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
         debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
         return false;
     }
     if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
         debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
         return false;
     }
     if (!radius_put_string($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : '127.0.0.1') == -1) {
         debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
         return false;
     }
     if (!radius_put_string($res, RADIUS_USER_NAME, $login)) {
         debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
         return false;
     }
     if ($password) {
         if (!radius_put_string($res, RADIUS_USER_PASSWORD, $password)) {
             debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
             return false;
         }
     }
     if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
         debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
         return false;
     }
     if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
         debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
         return false;
     }
     $req = radius_send_request($res);
     if (!$req) {
         debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
         return false;
     }
     $user = false;
     switch ($req) {
         case RADIUS_ACCESS_ACCEPT:
             $userData = array();
             $userData["name"] = $login;
             $userData["newpass1"] = '!';
             $userData["newpass2"] = '!';
             $user = $this->storeExternalUser($login, $userData);
             break;
         case RADIUS_ACCESS_REJECT:
             debug("RadiusError: Radius Request rejected\n", 'auth');
             break;
         default:
             debug("RadiusError: Unknown answer\n", 'auth');
     }
     return $user;
 }
Beispiel #9
0
 /**
  * authenticate user against radius
  * @param $username username to authenticate
  * @param $password user password
  * @return bool authentication status
  */
 public function authenticate($username, $password)
 {
     $this->lastAuthProperties = array();
     // reset auth properties
     $radius = radius_auth_open();
     $error = null;
     if (!radius_add_server($radius, $this->radiusHost, $this->authPort, $this->sharedSecret, $this->timeout, $this->maxRetries)) {
         $error = radius_strerror($radius);
     } elseif (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_string($radius, RADIUS_USER_NAME, $username)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_int($radius, RADIUS_SERVICE_TYPE, RADIUS_LOGIN)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_int($radius, RADIUS_FRAMED_PROTOCOL, RADIUS_ETHERNET)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_string($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_int($radius, RADIUS_NAS_PORT, 0)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_int($radius, RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET)) {
         $error = radius_strerror($radius);
     } else {
         // Implement extra protocols in this section.
         switch ($this->protocol) {
             case 'PAP':
                 // do PAP authentication
                 if (!radius_put_string($radius, RADIUS_USER_PASSWORD, $password)) {
                     $error = radius_strerror($radius);
                 }
                 break;
             default:
                 syslog(LOG_ERR, 'Unsupported protocol ' . $this->protocol);
                 return false;
         }
     }
     // log errors and perform actual authentication request
     if ($error != null) {
         syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error));
     } else {
         $request = radius_send_request($radius);
         if (!$radius) {
             syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error));
         } else {
             switch ($request) {
                 case RADIUS_ACCESS_ACCEPT:
                     while ($resa = radius_get_attr($radius)) {
                         switch ($resa['attr']) {
                             case RADIUS_SESSION_TIMEOUT:
                                 $this->lastAuthProperties['session_timeout'] = radius_cvt_int($resa['data']);
                                 break;
                             case 85:
                                 // Acct-Interim-Interval
                                 $this->lastAuthProperties['Acct-Interim-Interval'] = radius_cvt_int($resa['data']);
                                 break;
                             default:
                                 break;
                         }
                     }
                     return true;
                     break;
                 case RADIUS_ACCESS_REJECT:
                     return false;
                     break;
                 default:
                     // unexpected result, log
                     syslog(LOG_ERR, 'Radius unexpected response:' . $request);
             }
         }
     }
     return false;
 }
Beispiel #10
0
 /**
  * Find out if a set of login credentials are valid.
  *
  * @param string $username    The userId to check.
  * @param array $credentials  An array of login credentials.
  *                            For radius, this must contain a password
  *                            entry.
  *
  * @throws Horde_Auth_Exception
  */
 protected function _authenticate($username, $credentials)
 {
     /* Password is required. */
     if (!isset($credentials['password'])) {
         throw new Horde_Auth_Exception('Password required for RADIUS authentication.');
     }
     $res = radius_auth_open();
     radius_add_server($res, $this->_params['host'], $this->_params['port'], $this->_params['secret'], $this->_params['timeout'], $this->_params['retries']);
     radius_create_request($res, RADIUS_ACCESS_REQUEST);
     radius_put_attr($res, RADIUS_NAS_IDENTIFIER, $this->_params['nas']);
     radius_put_attr($res, RADIUS_NAS_PORT_TYPE, RADIUS_VIRTUAL);
     radius_put_attr($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED);
     radius_put_attr($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP);
     radius_put_attr($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : '127.0.0.1');
     /* Insert username/password into request. */
     radius_put_attr($res, RADIUS_USER_NAME, $username);
     radius_put_attr($res, RADIUS_USER_PASSWORD, $credentials['password']);
     /* Send request. */
     $success = radius_send_request($res);
     switch ($success) {
         case RADIUS_ACCESS_ACCEPT:
             break;
         case RADIUS_ACCESS_REJECT:
             throw new Horde_Auth_Exception('Authentication rejected by RADIUS server.');
         default:
             throw new Horde_Auth_Exception(radius_strerror($res));
     }
 }
 /**
  * This is the main authentication function of the plugin. Given both the 
  * username and password it will make use of the options set to authenticate
  * against the configured RADIUS servers.
  */
 function checkLogin($user, $username, $password)
 {
     if (is_a($user, 'WP_User')) {
         return $user;
     }
     if (empty($username)) {
         return self::wp_error('empty_username', __('The username field is empty.'));
     }
     if (empty($password)) {
         return self::wp_error('empty_password', __('The password field is empty.'));
     }
     $opts = TwoFactorRadiusAuth::getOptions();
     // skip radius for user
     if (@array_search($username, $opts['skip_users']) !== false) {
         return;
     }
     remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3);
     $userdata = get_user_by('login', $username);
     if (!$userdata) {
         return self::wp_error('invalid_username', __('Invalid username.'));
     }
     if (is_multisite()) {
         // Is user marked as spam?
         if (1 == $userdata->spam) {
             return self::wp_error('invalid_username', __('Your account has been marked as a spammer.'));
         }
         // Is a user's blog marked as spam?
         if (!is_super_admin($userdata->ID) && isset($userdata->primary_blog)) {
             $details = get_blog_details($userdata->primary_blog);
             if (is_object($details) && $details->spam == 1) {
                 return self::wp_error('blog_suspended', __('Site Suspended.'));
             }
         }
     }
     $OTP = trim($_POST['otp']);
     $radiuspass = $password;
     if (!empty($OTP)) {
         $radiuspass = $password . $opts['pwd_otp_sep'] . $OTP;
     }
     if (!function_exists('radius_auth_open')) {
         return self::wp_error('missing_php_radius', 'Missing php-radius');
     }
     if (!TwoFactorRadiusAuth::isConfigured()) {
         return self::wp_error('missing_plugin_settings', __('Missing auth server settings'));
     }
     $reply_message = '';
     try {
         $rad = radius_auth_open();
         if (!radius_add_server($rad, $opts['s1_host'], $opts['s1_port'], $opts['s1_secr'], $opts['timeout'], $opts['max_tries'])) {
             throw new Exception(radius_strerror($rad));
         }
         if (!empty($opts['s2_host']) && !empty($opts['s2_port']) && !empty($opts['s2_secr'])) {
             if (!radius_add_server($rad, $opts['s2_host'], $opts['s2_port'], $opts['s2_secr'], $opts['timeout'], $opts['max_tries'])) {
                 throw new Exception(radius_strerror($rad));
             }
         }
         if (!radius_create_request($rad, RADIUS_ACCESS_REQUEST)) {
             throw new Exception(radius_strerror($rad));
         }
         if (!radius_put_string($rad, RADIUS_NAS_IDENTIFIER, '1')) {
             throw new Exception(radius_strerror($rad));
         }
         if (!radius_put_int($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
             throw new Exception(radius_strerror($rad));
         }
         if (!radius_put_int($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
             throw new Exception(radius_strerror($rad));
         }
         $station = isset($REMOTE_HOST) ? $REMOTE_HOST : '127.0.0.1';
         if (!radius_put_string($rad, RADIUS_CALLING_STATION_ID, $station) == -1) {
             throw new Exception(radius_strerror($rad));
         }
         if (!radius_put_string($rad, RADIUS_USER_NAME, $username)) {
             throw new Exception(radius_strerror($rad));
         }
         if (!radius_put_string($rad, RADIUS_USER_PASSWORD, $radiuspass)) {
             throw new Exception(radius_strerror($rad));
         }
         if (!radius_put_int($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
             throw new Exception(radius_strerror($rad));
         }
         if (!radius_put_int($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
             throw new Exception(radius_strerror($rad));
         }
         $res = radius_send_request($rad);
         if (!$res) {
             throw new Exception(radius_strerror($rad));
         }
         while ($rattr = radius_get_attr($rad)) {
             if ($rattr['attr'] == 18) {
                 $reply_message = $rattr['data'];
                 break;
             }
         }
     } catch (Exception $exp) {
         return self::wp_error('radius_error', $exp->getMessage());
     }
     switch ($res) {
         case RADIUS_ACCESS_ACCEPT:
             $userdata->user_pass = wp_hash_password($password);
             return new WP_User($userdata->ID);
             break;
         case RADIUS_ACCESS_REJECT:
             switch ($reply_message) {
                 case 'LDAP USER NOT FOUND':
                     if ($opts['use_wp_auth'] == 'on') {
                         add_filter('authenticate', 'wp_authenticate_username_password', 10, 3);
                         return null;
                     } else {
                         return self::wp_error('invalid_username', __('Unknown user'));
                     }
                 case 'INVALID OTP':
                 default:
                     return self::wp_error('incorrect_password', __('Wrong password/OTP'));
             }
             break;
         default:
             return self::wp_error('denied', __('Unknown error'));
     }
 }
 /**
  * Attempt to log in using the given username and password.
  *
  * @param string $username  The username the user wrote.
  * @param string $password  The password the user wrote.
  * @return array  Associative array with the users attributes.
  */
 protected function login($username, $password)
 {
     assert('is_string($username)');
     assert('is_string($password)');
     $radius = radius_auth_open();
     if (!radius_add_server($radius, $this->hostname, $this->port, $this->secret, $this->timeout, $this->retries)) {
         throw new Exception('Error connecting to radius server: ' . radius_strerror($radius));
     }
     if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
         throw new Exception('Error creating radius request: ' . radius_strerror($radius));
     }
     radius_put_attr($radius, RADIUS_USER_NAME, $username);
     radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
     if ($this->nasIdentifier != NULL) {
         radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier);
     }
     $res = radius_send_request($radius);
     if ($res != RADIUS_ACCESS_ACCEPT) {
         switch ($res) {
             case RADIUS_ACCESS_REJECT:
                 /* Invalid username or password. */
                 throw new SimpleSAML_Error_Error('WRONGUSERPASS');
             case RADIUS_ACCESS_CHALLENGE:
                 throw new Exception('Radius authentication error: Challenge requested, but not supported.');
             default:
                 throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
         }
     }
     /* If we get this far, we have a valid login. */
     $attributes = array();
     if ($this->usernameAttribute !== NULL) {
         $attributes[$this->usernameAttribute] = array($username);
     }
     if ($this->vendor === NULL) {
         /*
          * We aren't interrested in any vendor-specific attributes. We are
          * therefore done now.
          */
         return $attributes;
     }
     /* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */
     while ($resa = radius_get_attr($radius)) {
         if (!is_array($resa)) {
             throw new Exception('Error getting radius attributes: ' . radius_strerror($radius));
         }
         if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) {
             continue;
         }
         $resv = radius_get_vendor_attr($resa['data']);
         if (!is_array($resv)) {
             throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius));
         }
         $vendor = $resv['vendor'];
         $attrv = $resv['attr'];
         $datav = $resv['data'];
         /*
          * Uncomment this to debug vendor attributes.
          */
         //printf("Got Vendor Attr:%d %d Bytes %s<br/>", $attrv, strlen($datav), bin2hex($datav));
         if ($vendor != $this->vendor || $attrv != $this->vendorType) {
             continue;
         }
         $attrib_name = strtok($datav, '=');
         $attrib_value = strtok('=');
         /* if the attribute name is already in result set, add another value */
         if (array_key_exists($attrib_name, $attributes)) {
             $attributes[$attrib_name][] = $attrib_value;
         } else {
             $attributes[$attrib_name] = array($attrib_value);
         }
     }
     /* end of contribution */
     return $attributes;
 }
 /**
  * Authenticate the configured user
  *
  * @return Zend\Authentication\Result
  */
 public function authenticate()
 {
     //Create RADIUS request
     radius_create_request($this->radius, RADIUS_ACCESS_REQUEST);
     if ($this->getUsername()) {
         radius_put_attr($this->radius, RADIUS_USER_NAME, $this->getUsername() . $this->getAuthenticationRealm());
     }
     if ($this->getPassword()) {
         radius_put_attr($this->radius, RADIUS_USER_PASSWORD, $this->getPassword());
     }
     //Send
     $result = radius_send_request($this->radius);
     switch ($result) {
         case RADIUS_ACCESS_ACCEPT:
             return new Authentication\Result(Authentication\Result::SUCCESS, $this->getUsername());
         case RADIUS_ACCESS_REJECT:
             return new Authentication\Result(Authentication\Result::FAILURE_CREDENTIAL_INVALID, $this->getUsername(), array(radius_strerror($this->radius)));
         default:
             var_dump($result);
             # don't do this!
             return new Authentication\Result(Authentication\Result::FAILURE_UNCATEGORIZED, $this->getUsername(), array(radius_strerror($this->radius)));
     }
 }
Beispiel #14
0
/**
 * Check username and password against RADIUS authentication backend.
 *
 * @param string $username User name to check
 * @param string $password User password to check
 * @return int Authentication success (0 = fail, 1 = success) FIXME bool
 */
function radius_authenticate($username, $password)
{
    global $config, $rad;
    radius_init();
    if ($username && $rad) {
        //print_vars(radius_server_secret($rad));
        radius_create_request($rad, RADIUS_ACCESS_REQUEST);
        radius_put_attr($rad, RADIUS_USER_NAME, $username);
        switch (strtolower($config['auth_radius_method'])) {
            // CHAP-MD5 see RFC1994
            case 'chap':
            case 'chap_md5':
                $chapid = 1;
                // Specify a CHAP identifier
                //$challenge = mt_rand(); // Generate a challenge
                //$cresponse = md5(pack('Ca*', $chapid, $password.$challenge), TRUE);
                new Crypt_CHAP();
                // Pre load class
                $crpt = new Crypt_CHAP_MD5();
                $crpt->password = $password;
                $challenge = $crpt->challenge;
                $resp_md5 = $crpt->challengeResponse();
                $resp = pack('C', $chapid) . $resp_md5;
                radius_put_attr($rad, RADIUS_CHAP_PASSWORD, $resp);
                // Add the Chap-Password attribute
                radius_put_attr($rad, RADIUS_CHAP_CHALLENGE, $challenge);
                // Add the Chap-Challenge attribute.
                break;
                // MS-CHAPv1 see RFC2433
            // MS-CHAPv1 see RFC2433
            case 'mschapv1':
                $chapid = 1;
                // Specify a CHAP identifier
                $flags = 1;
                // 0 = use LM-Response, 1 = use NT-Response (we not use old LM)
                new Crypt_CHAP();
                // Pre load class
                $crpt = new Crypt_CHAP_MSv1();
                $crpt->password = $password;
                $challenge = $crpt->challenge;
                $resp_lm = str_repeat("", 24);
                $resp_nt = $crpt->challengeResponse();
                $resp = pack('CC', $chapid, $flags) . $resp_lm . $resp_nt;
                radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_RESPONSE, $resp);
                radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge);
                break;
                // MS-CHAPv2 see RFC2759
            // MS-CHAPv2 see RFC2759
            case 'mschapv2':
                $chapid = 1;
                // Specify a CHAP identifier
                $flags = 1;
                // 0 = use LM-Response, 1 = use NT-Response (we not use old LM)
                new Crypt_CHAP();
                // Pre load class
                $crpt = new Crypt_CHAP_MSv2();
                $crpt->username = $username;
                $crpt->password = $password;
                $challenge = $crpt->authChallenge;
                $challenge_p = $crpt->peerChallenge;
                $resp_nt = $crpt->challengeResponse();
                // Response: chapid, flags (1 = use NT Response), Peer challenge, reserved, Response
                $resp = pack('CCa16a8a24', $chapid, $flags, $challenge_p, str_repeat("", 8), $resp_nt);
                radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP2_RESPONSE, $resp);
                radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge);
                break;
                // PAP (Plaintext)
            // PAP (Plaintext)
            default:
                radius_put_attr($rad, RADIUS_USER_PASSWORD, $password);
        }
        // Puts standard attributes
        $radius_ip = get_ip_version($config['auth_radius_nas_address']) ? $config['auth_radius_nas_address'] : $_SERVER['SERVER_ADDR'];
        if (get_ip_version($radius_ip) == 6) {
            // FIXME, not sure that this work correctly
            radius_put_attr($rad, RADIUS_NAS_IPV6_ADDRESS, $radius_ip);
        } else {
            radius_put_addr($rad, RADIUS_NAS_IP_ADDRESS, $radius_ip);
        }
        $radius_id = empty($config['auth_radius_id']) ? get_localhost() : $config['auth_radius_id'];
        radius_put_attr($rad, RADIUS_NAS_IDENTIFIER, $radius_id);
        //radius_put_attr($rad, RADIUS_NAS_PORT_TYPE, RADIUS_VIRTUAL);
        //radius_put_attr($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED);
        //radius_put_attr($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP);
        radius_put_attr($rad, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1');
        $response = radius_send_request($rad);
        //print_vars($response);
        switch ($response) {
            case RADIUS_ACCESS_ACCEPT:
                // An Access-Accept response to an Access-Request indicating that the RADIUS server authenticated the user successfully.
                //echo 'Authentication successful';
                return 1;
                break;
            case RADIUS_ACCESS_REJECT:
                // An Access-Reject response to an Access-Request indicating that the RADIUS server could not authenticate the user.
                //echo 'Authentication failed';
                break;
            case RADIUS_ACCESS_CHALLENGE:
                // An Access-Challenge response to an Access-Request indicating that the RADIUS server requires further information
                // in another Access-Request before authenticating the user.
                //echo 'Challenge required';
                break;
            default:
                print_error('A RADIUS error has occurred: ' . radius_strerror($rad));
        }
    }
    //session_logout();
    return 0;
}
Beispiel #15
0
                $authlogattr = $config->getValue('statistics.authlogattr', null);
                if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
                    SimpleSAML_Logger::stats('AUTH-login-radius OK ' . $attributes[$authlogattr][0]);
                } else {
                    SimpleSAML_Logger::stats('AUTH-login-radius OK');
                }
                SimpleSAML_Utilities::redirectTrustedURL($relaystate);
            case RADIUS_ACCESS_REJECT:
                SimpleSAML_Logger::info('AUTH - radius: ' . $_POST['username'] . ' failed to authenticate');
                throw new Exception('Radius authentication error: Bad credentials ');
                break;
            case RADIUS_ACCESS_CHALLENGE:
                SimpleSAML_Logger::critical('AUTH - radius: Challenge requested: ' . radius_strerror($radius));
                throw new Exception('Radius authentication error: Challenge requested');
                break;
            default:
                SimpleSAML_Logger::critical('AUTH  -radius: General radius error: ' . radius_strerror($radius));
                throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
        }
    } catch (Exception $e) {
        $error = $e->getMessage();
    }
}
$t = new SimpleSAML_XHTML_Template($config, 'login.php', 'login');
$t->data['header'] = 'simpleSAMLphp: Enter username and password';
$t->data['relaystate'] = $relaystate;
$t->data['error'] = $error;
if (isset($error)) {
    $t->data['username'] = $_POST['username'];
}
$t->show();
Beispiel #16
0
// RADIUS_AUTH_RADIUS => authenticated via Radius
// RADIUS_AUTH_LOCAL => authenicated local
// RADIUS_AUTH_REMOTE => authenticated remote
if (!radius_put_int($res, RADIUS_ACCT_AUTHENTIC, RADIUS_AUTH_LOCAL)) {
    echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
    exit;
}
sleep(3);
// if RADIUS_ACCT_STATUS_TYPE == RADIUS_STOP
if (!radius_put_int($res, RADIUS_ACCT_TERMINATE_CAUSE, RADIUS_TERM_USER_REQUEST)) {
    echo 'RadiusError2:' . radius_strerror($res) . "\n<br>";
    exit;
}
if (!radius_put_int($res, RADIUS_ACCT_SESSION_TIME, time() - $starttime)) {
    echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
    exit;
}
// endif
$req = radius_send_request($res);
if (!$req) {
    echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
    exit;
}
switch ($req) {
    case RADIUS_ACCOUNTING_RESPONSE:
        echo "Radius Accounting response<br>\n";
        break;
    default:
        echo "Unexpected return value:{$req}\n<br>";
}
radius_close($res);
Beispiel #17
0
 /**
  * Perform authentication using a RADIUS server.
  *
  * @param Mfa_OtpdeviceDao $otpDevice
  * @param Mfa_ApitokenDao $token
  * @throws Zend_Exception
  */
 protected function _radiusauth($otpDevice, $token)
 {
     /** @var SettingModel $settingModel */
     $settingModel = MidasLoader::loadModel('Setting');
     $radiusserver = $settingModel->GetValueByName('radiusServer', 'mfa');
     $radiusport = $settingModel->GetValueByName('radiusPort', 'mfa');
     $radiuspw = $settingModel->GetValueByName('radiusPassword', 'mfa');
     $radiusTimeout = $settingModel->GetValueByName('radiusTimeout', 'mfa');
     $radiusMaxTries = $settingModel->GetValueByName('radiusMaxTries', 'mfa');
     if (!function_exists('radius_auth_open')) {
         throw new Zend_Exception('RADIUS is not enabled on the server');
     }
     $this->getLogger()->debug('Midas Server RADIUS trying to authenticate user: '******'Cannot connect to the RADIUS server: ' . radius_strerror($rh));
     }
     if (!radius_create_request($rh, RADIUS_ACCESS_REQUEST)) {
         throw new Zend_Exception('Cannot process requests to RADIUS server: ' . radius_strerror($rh));
     }
     /* this is the key parameter */
     radius_put_attr($rh, RADIUS_USER_NAME, $otpDevice->getSecret());
     /* this is the one time pin + 6-digit hard token or 8 digit smart token */
     radius_put_attr($rh, RADIUS_USER_PASSWORD, $token);
     switch (radius_send_request($rh)) {
         case RADIUS_ACCESS_ACCEPT:
             $this->getLogger()->debug('Midas Server RADIUS successful authentication ' . 'for ' . $otpDevice->getSecret());
             return true;
         case RADIUS_ACCESS_REJECT:
             $this->getLogger()->info('Midas Server RADIUS failed authentication for ' . $otpDevice->getSecret());
             return false;
         case RADIUS_ACCESS_CHALLENGE:
             $this->getLogger()->info('Midas Server RADIUS challenge requested for ' . $otpDevice->getSecret());
             return false;
         default:
             $this->getLogger()->info('Midas Server RADIUS error during authentication ' . 'for ' . $otpDevice->getSecret() . ' with Token: ' . $token . '. Error: ' . radius_strerror($rh));
             throw new Zend_Exception('Error during RADIUS authentication: ' . radius_strerror($rh));
     }
 }