Example #1
1
 private function _sendPOD($session)
 {
     $nas = $session[0]['nas'];
     $username = $session[0]['login'];
     $session_id = str_replace('sid_', '', $session[0]['id']);
     $radport = 3799;
     $sharedsecret = 'brascoa';
     $res = radius_acct_open();
     radius_add_server($res, $nas, $radport, $sharedsecret, 3, 1);
     radius_create_request($res, RADIUS_DISCONNECT_REQUEST);
     // radius_put_string($res, RADIUS_NAS_IP_ADDRESS, 0);
     radius_put_string($res, RADIUS_USER_NAME, $username);
     radius_put_string($res, RADIUS_ACCT_SESSION_ID, $session_id);
     $reply = radius_send_request($res);
     switch ($reply) {
         case RADIUS_COA_ACK:
         case RADIUS_DISCONNECT_ACK:
             $result = "CoA-ACK\n";
             break;
         case RADIUS_COA_NAK:
         case RADIUS_DISCONNECT_NAK:
             $result = "CoA-NAK\n";
             break;
         default:
             return "Unsupported reply\n";
     }
     while ($resa = radius_get_attr($res)) {
         $data = $resa['data'];
         $value = radius_cvt_int($data);
         switch ($value) {
             case 401:
                 $result = "Unsupported Attribute\n";
                 break;
             case 402:
                 $result = "Missing Attribute\n";
                 break;
             case 403:
                 $result = "NAS Identification mismatch [{$nas}]\n";
                 break;
             case 404:
                 $result = "Invalid Request\n";
                 break;
             case 503:
                 $result = "Session context not found\n";
                 break;
             case 506:
                 $result = "Resources unavailable\n";
                 break;
             default:
                 $result = "Unsupported Error-Cause\n";
         }
     }
     radius_close($res);
     return $result;
 }
Example #2
0
 /**
  * Reads all received attributes after sending the request.
  *
  * This methods stores known attributes in the property attributes,
  * all attributes (including known attibutes) are stored in rawAttributes
  * or rawVendorAttributes.
  * NOTE: call this function also even if the request was rejected, because the
  * Server returns usualy an errormessage
  *
  * @access public
  * @return bool   true on success, false on error
  */
 function getAttributes()
 {
     while ($attrib = radius_get_attr($this->res)) {
         if (!is_array($attrib)) {
             return false;
         }
         $attr = $attrib['attr'];
         $data = $attrib['data'];
         $this->rawAttributes[$attr] = $data;
         switch ($attr) {
             case RADIUS_FRAMED_IP_ADDRESS:
                 $this->attributes['framed_ip'] = radius_cvt_addr($data);
                 break;
             case RADIUS_FRAMED_IP_NETMASK:
                 $this->attributes['framed_mask'] = radius_cvt_addr($data);
                 break;
             case RADIUS_FRAMED_MTU:
                 $this->attributes['framed_mtu'] = radius_cvt_int($data);
                 break;
             case RADIUS_FRAMED_COMPRESSION:
                 $this->attributes['framed_compression'] = radius_cvt_int($data);
                 break;
             case RADIUS_SESSION_TIMEOUT:
                 $this->attributes['session_timeout'] = radius_cvt_int($data);
                 break;
             case RADIUS_IDLE_TIMEOUT:
                 $this->attributes['idle_timeout'] = radius_cvt_int($data);
                 break;
             case RADIUS_SERVICE_TYPE:
                 $this->attributes['service_type'] = radius_cvt_int($data);
                 break;
             case RADIUS_CLASS:
                 $this->attributes['class'] = radius_cvt_string($data);
                 break;
             case RADIUS_FRAMED_PROTOCOL:
                 $this->attributes['framed_protocol'] = radius_cvt_int($data);
                 break;
             case RADIUS_FRAMED_ROUTING:
                 $this->attributes['framed_routing'] = radius_cvt_int($data);
                 break;
             case RADIUS_FILTER_ID:
                 $this->attributes['filter_id'] = radius_cvt_string($data);
                 break;
             case RADIUS_REPLY_MESSAGE:
                 $this->attributes['reply_message'] = radius_cvt_string($data);
                 break;
             case RADIUS_VENDOR_SPECIFIC:
                 $attribv = radius_get_vendor_attr($data);
                 if (!is_array($attribv)) {
                     return false;
                 }
                 $vendor = $attribv['vendor'];
                 $attrv = $attribv['attr'];
                 $datav = $attribv['data'];
                 $this->rawVendorAttributes[$vendor][$attrv] = $datav;
                 if ($vendor == RADIUS_VENDOR_MICROSOFT) {
                     switch ($attrv) {
                         case RADIUS_MICROSOFT_MS_CHAP2_SUCCESS:
                             $this->attributes['ms_chap2_success'] = radius_cvt_string($datav);
                             break;
                         case RADIUS_MICROSOFT_MS_CHAP_ERROR:
                             $this->attributes['ms_chap_error'] = radius_cvt_string(substr($datav, 1));
                             break;
                         case RADIUS_MICROSOFT_MS_CHAP_DOMAIN:
                             $this->attributes['ms_chap_domain'] = radius_cvt_string($datav);
                             break;
                         case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY:
                             $this->attributes['ms_mppe_encryption_policy'] = radius_cvt_int($datav);
                             break;
                         case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES:
                             $this->attributes['ms_mppe_encryption_types'] = radius_cvt_int($datav);
                             break;
                         case RADIUS_MICROSOFT_MS_CHAP_MPPE_KEYS:
                             $demangled = radius_demangle($this->res, $datav);
                             $this->attributes['ms_chap_mppe_lm_key'] = substr($demangled, 0, 8);
                             $this->attributes['ms_chap_mppe_nt_key'] = substr($demangled, 8, RADIUS_MPPE_KEY_LEN);
                             break;
                         case RADIUS_MICROSOFT_MS_MPPE_SEND_KEY:
                             $this->attributes['ms_chap_mppe_send_key'] = radius_demangle_mppe_key($this->res, $datav);
                             break;
                         case RADIUS_MICROSOFT_MS_MPPE_RECV_KEY:
                             $this->attributes['ms_chap_mppe_recv_key'] = radius_demangle_mppe_key($this->res, $datav);
                             break;
                         case RADIUS_MICROSOFT_MS_PRIMARY_DNS_SERVER:
                             $this->attributes['ms_primary_dns_server'] = radius_cvt_string($datav);
                             break;
                     }
                 }
                 break;
         }
     }
     return true;
 }
Example #3
0
 /**
  *	Validate login credentials
  *
  *	@param string $uname - The user name requesting access
  *	@param string $pass - Password to use (usually plain text)
  *	@param pointer &$newvals - pointer to array to accept other data read from database
  *	@param boolean $connect_only - TRUE to simply connect to the server
  *
  *	@return integer result (AUTH_xxxx)
  *
  *	On a successful login, &$newvals array is filled with the requested data from the server
  */
 function login($uname, $pass, &$newvals, $connect_only = FALSE)
 {
     // Create authentification request
     if (!radius_create_request($this->connection, RADIUS_ACCESS_REQUEST)) {
         $this->makeErrorText('RADIUS failed authentification request: ');
         return AUTH_NOCONNECT;
     }
     if (trim($pass) == '') {
         return AUTH_BADPASSWORD;
     }
     // Pick up a blank password - always expect one
     // Attach username and password
     if (!radius_put_attr($this->connection, RADIUS_USER_NAME, $uname) || !radius_put_attr($this->connection, RADIUS_USER_PASSWORD, $pass)) {
         $this->makeErrorText('RADIUS could not attach username/password: '******'CHAP not supported');
             return AUTH_NOUSER;
         case RADIUS_ACCESS_REJECT:
             // Specifically rejected
         // Specifically rejected
         default:
             // Catch-all
             $this->makeErrorText('RADIUS validation error: ');
             return AUTH_NOUSER;
     }
     // User accepted here.
     if ($connect_only) {
         return AUTH_SUCCESS;
     }
     return AUTH_SUCCESS;
     // Not interested in any attributes returned ATM, so done.
     // See if we get any attributes - not really any use to us unless we implement CHAP, so disabled ATM
     $attribs = array();
     while ($resa = radius_get_attr($this->connection)) {
         if (!is_array($resa)) {
             $this->makeErrorText("Error getting attribute: ");
             exit;
         }
         //			Decode attribute according to type (this isn't an exhaustive list)
         //		Codes: 2, 3, 4, 5, 30, 31, 32, 60, 61 should never be received by us
         //		Codes 17, 21 not assigned
         switch ($resa['attr']) {
             case 8:
                 // IP address to be set (255.255.255.254 indicates 'allocate your own address')
             // IP address to be set (255.255.255.254 indicates 'allocate your own address')
             case 9:
                 // Subnet mask
             // Subnet mask
             case 14:
                 // Login-IP host
                 $attribs[$resa['attr']] = radius_cvt_addr($resa['data']);
                 break;
             case 6:
                 // Service type  (integer bitmap)
             // Service type  (integer bitmap)
             case 7:
                 // Protocol (integer bitmap)
             // Protocol (integer bitmap)
             case 10:
                 // Routing method (integer)
             // Routing method (integer)
             case 12:
                 // Framed MTU
             // Framed MTU
             case 13:
                 // Compression method
             // Compression method
             case 15:
                 // Login service (bitmap)
             // Login service (bitmap)
             case 16:
                 // Login TCP port
             // Login TCP port
             case 23:
                 // Framed IPX network (0xFFFFFFFE indicates 'allocate your own')
             // Framed IPX network (0xFFFFFFFE indicates 'allocate your own')
             case 27:
                 // Session timeout - maximum connection/login time in seconds
             // Session timeout - maximum connection/login time in seconds
             case 28:
                 // Idle timeout in seconds
             // Idle timeout in seconds
             case 29:
                 // Termination action
             // Termination action
             case 37:
                 // AppleTalk link number
             // AppleTalk link number
             case 38:
                 // AppleTalk network
             // AppleTalk network
             case 62:
                 // Max ports
             // Max ports
             case 63:
                 // Login LAT port
                 $attribs[$resa['attr']] = radius_cvt_int($resa['data']);
                 break;
             case 1:
                 // User name
             // User name
             case 11:
                 // Filter ID - could get several of these
             // Filter ID - could get several of these
             case 18:
                 // Reply message (text, various purposes)
             // Reply message (text, various purposes)
             case 19:
                 // Callback number
             // Callback number
             case 20:
                 // Callback ID
             // Callback ID
             case 22:
                 // Framed route - could get several of these
             // Framed route - could get several of these
             case 24:
                 // State - used in CHAP
             // State - used in CHAP
             case 25:
                 // Class
             // Class
             case 26:
                 // Vendor-specific
             // Vendor-specific
             case 33:
                 // Proxy State
             // Proxy State
             case 34:
                 // Login LAT service
             // Login LAT service
             case 35:
                 // Login LAT node
             // Login LAT node
             case 36:
                 // Login LAT group
             // Login LAT group
             case 39:
                 // AppleTalk zone
             // AppleTalk zone
             default:
                 $attribs[$resa['attr']] = radius_cvt_string($resa['data']);
                 // Default to string type
         }
         printf("Got Attr: %d => %d Bytes %s\n", $resa['attr'], strlen($attribs[$resa['attr']]), $attribs[$resa['attr']]);
     }
     return AUTH_SUCCESS;
 }
Example #4
0
     printf("MS CHAPv2 success: %s<br>\n", $mschap2resp);
     break;
 case RADIUS_MICROSOFT_MS_CHAP_ERROR:
     $errormsg = radius_cvt_string(substr($datav, 1));
     echo "MS CHAP Error: {$errormsg}<br>\n";
     break;
 case RADIUS_MICROSOFT_MS_CHAP_DOMAIN:
     $domain = radius_cvt_string($datav);
     echo "MS CHAP Domain: {$domain}<br>\n";
     break;
 case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY:
     $policy = radius_cvt_int($datav);
     echo "MS MPPE Policy: {$policy}<br>\n";
     break;
 case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES:
     $type = radius_cvt_int($datav);
     echo "MS MPPE Type: {$type}<br>\n";
     break;
 case RADIUS_MICROSOFT_MS_CHAP_MPPE_KEYS:
     $demangled = radius_demangle($res, $datav);
     $lmkey = substr($demangled, 0, 8);
     $ntkey = substr($demangled, 8, RADIUS_MPPE_KEY_LEN);
     printf("MS MPPE Keys: LM-Key: %s NT-Key: %s<br>\n", bin2hex($lmkey), bin2hex($ntkey));
     break;
 case RADIUS_MICROSOFT_MS_MPPE_SEND_KEY:
     $demangled = radius_demangle_mppe_key($res, $datav);
     printf("MS MPPE Send Key: %s<br>\n", bin2hex($demangled));
     break;
 case RADIUS_MICROSOFT_MS_MPPE_RECV_KEY:
     $demangled = radius_demangle_mppe_key($res, $datav);
     printf("MS MPPE Send Key: %s<br>\n", bin2hex($demangled));
Example #5
0
 /**
  * authenticate user against radius
  * @param $username username to authenticate
  * @param $password user password
  * @return bool authentication status
  */
 public function authenticate($username, $password)
 {
     $this->lastAuthProperties = array();
     // reset auth properties
     $radius = radius_auth_open();
     $error = null;
     if (!radius_add_server($radius, $this->radiusHost, $this->authPort, $this->sharedSecret, $this->timeout, $this->maxRetries)) {
         $error = radius_strerror($radius);
     } elseif (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_string($radius, RADIUS_USER_NAME, $username)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_int($radius, RADIUS_SERVICE_TYPE, RADIUS_LOGIN)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_int($radius, RADIUS_FRAMED_PROTOCOL, RADIUS_ETHERNET)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_string($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_int($radius, RADIUS_NAS_PORT, 0)) {
         $error = radius_strerror($radius);
     } elseif (!radius_put_int($radius, RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET)) {
         $error = radius_strerror($radius);
     } else {
         // Implement extra protocols in this section.
         switch ($this->protocol) {
             case 'PAP':
                 // do PAP authentication
                 if (!radius_put_string($radius, RADIUS_USER_PASSWORD, $password)) {
                     $error = radius_strerror($radius);
                 }
                 break;
             default:
                 syslog(LOG_ERR, 'Unsupported protocol ' . $this->protocol);
                 return false;
         }
     }
     // log errors and perform actual authentication request
     if ($error != null) {
         syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error));
     } else {
         $request = radius_send_request($radius);
         if (!$radius) {
             syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error));
         } else {
             switch ($request) {
                 case RADIUS_ACCESS_ACCEPT:
                     while ($resa = radius_get_attr($radius)) {
                         switch ($resa['attr']) {
                             case RADIUS_SESSION_TIMEOUT:
                                 $this->lastAuthProperties['session_timeout'] = radius_cvt_int($resa['data']);
                                 break;
                             case 85:
                                 // Acct-Interim-Interval
                                 $this->lastAuthProperties['Acct-Interim-Interval'] = radius_cvt_int($resa['data']);
                                 break;
                             default:
                                 break;
                         }
                     }
                     return true;
                     break;
                 case RADIUS_ACCESS_REJECT:
                     return false;
                     break;
                 default:
                     // unexpected result, log
                     syslog(LOG_ERR, 'Radius unexpected response:' . $request);
             }
         }
     }
     return false;
 }