exit;
}
// RADIUS_AUTH_RADIUS => authenticated via Radius
// RADIUS_AUTH_LOCAL => authenicated local
// RADIUS_AUTH_REMOTE => authenticated remote
if (!radius_put_int($res, RADIUS_ACCT_AUTHENTIC, RADIUS_AUTH_LOCAL)) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
sleep(3);
// if RADIUS_ACCT_STATUS_TYPE == RADIUS_STOP
if (!radius_put_int($res, RADIUS_ACCT_TERMINATE_CAUSE, RADIUS_TERM_USER_REQUEST)) {
echo 'RadiusError2:' . radius_strerror($res) . "\n<br>";
exit;
}
if (!radius_put_int($res, RADIUS_ACCT_SESSION_TIME, time() - $starttime)) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
// endif
$req = radius_send_request($res);
if (!$req) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
switch ($req) {
case RADIUS_ACCOUNTING_RESPONSE:
echo "Radius Accounting response<br>\n";
break;
default:
echo "Unexpected return value:{$req}\n<br>";
/**
* Autentica un usuario usando el adaptador
*
* @return boolean
*/
public function authenticate()
{
$radius = radius_auth_open();
if (!$radius) {
throw new KumbiaException("No se pudo crear el autenticador de Radius");
}
if (!radius_add_server($radius, $this->server, $this->port, $this->secret, $this->timeout, $this->max_retries)) {
throw new KumbiaException(radius_strerror($radius));
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
throw new KumbiaException(radius_strerror($radius));
}
if (!radius_put_string($radius, RADIUS_USER_NAME, $this->username)) {
throw new KumbiaException(radius_strerror($radius));
}
if (!radius_put_string($radius, RADIUS_USER_PASSWORD, $this->password)) {
throw new KumbiaException(radius_strerror($radius));
}
if (!radius_put_int($radius, RADIUS_AUTHENTICATE_ONLY, 1)) {
throw new KumbiaException(radius_strerror($radius));
}
$this->resource = $radius;
if (radius_send_request($radius) == RADIUS_ACCESS_ACCEPT) {
return true;
} else {
return false;
}
}
public function prepareRequest($res, $login, $pass, $seed)
{
if (!radius_add_server($res, $this->radiusServer, $this->radiusPort, $this->radiusSecret, 3, 3)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not add server (" . radius_strerror($res) . ")");
return false;
}
if (!radius_create_request($res, RADIUS_ACCESS_REQUEST)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not create request (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_string($res, RADIUS_NAS_IDENTIFIER, isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : 'localhost')) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for nas_identifier (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for service_type (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for framed_protocol (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_string($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1') == -1) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for calling_station_id (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_string($res, RADIUS_USER_NAME, $login)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for user name (" . radius_strerror($res) . ")");
return false;
}
if ($this->radiusAuthType == 'chap') {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Using CHAP.");
mt_srand(time());
$chall = mt_rand();
$chapval = pack('H*', md5(pack('Ca*', 1, $pass . $chall)));
$pass = pack('C', 1) . $chapval;
if (!radius_put_attr($res, RADIUS_CHAP_PASSWORD, $pass)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put attribute for chap password (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_attr($res, RADIUS_CHAP_CHALLENGE, $chall)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put attribute for chap callenge (" . radius_strerror($res) . ")");
return false;
}
} else {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Using PAP.");
if (!radius_put_string($res, RADIUS_USER_PASSWORD, $pass)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for pap password (" . radius_strerror($res) . ")");
return false;
}
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for second service type (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for second framed protocol (" . radius_strerror($res) . ")");
return false;
}
}
/**
* Puts an attribute.
*
* @access public
* @param integer $attrib Attribute-number
* @param mixed $port Attribute-value
* @param type $type Attribute-type
* @return bool true on success, false on error
*/
function putAttribute($attrib, $value, $type = null)
{
if ($type == null) {
$type = gettype($value);
}
switch ($type) {
case 'integer':
case 'double':
return radius_put_int($this->res, $attrib, $value);
case 'addr':
return radius_put_addr($this->res, $attrib, $value);
case 'string':
default:
return radius_put_attr($this->res, $attrib, $value);
}
}
function authExternalUser($login, $password)
{
$res = radius_auth_open();
if (!radius_add_server($res, $this->config['radius_server'], $this->config['radius_port'], $this->config['sharedsecret'], 3, 3)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_create_request($res, RADIUS_ACCESS_REQUEST)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_string($res, RADIUS_NAS_IDENTIFIER, isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost')) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_string($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : '127.0.0.1') == -1) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_string($res, RADIUS_USER_NAME, $login)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if ($password) {
if (!radius_put_string($res, RADIUS_USER_PASSWORD, $password)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
$req = radius_send_request($res);
if (!$req) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
$user = false;
switch ($req) {
case RADIUS_ACCESS_ACCEPT:
$userData = array();
$userData["name"] = $login;
$userData["newpass1"] = '!';
$userData["newpass2"] = '!';
$user = $this->storeExternalUser($login, $userData);
break;
case RADIUS_ACCESS_REJECT:
debug("RadiusError: Radius Request rejected\n", 'auth');
break;
default:
debug("RadiusError: Unknown answer\n", 'auth');
}
return $user;
}
/**
* This is the main authentication function of the plugin. Given both the
* username and password it will make use of the options set to authenticate
* against the configured RADIUS servers.
*/
function checkLogin($user, $username, $password)
{
if (is_a($user, 'WP_User')) {
return $user;
}
if (empty($username)) {
return self::wp_error('empty_username', __('The username field is empty.'));
}
if (empty($password)) {
return self::wp_error('empty_password', __('The password field is empty.'));
}
$opts = TwoFactorRadiusAuth::getOptions();
// skip radius for user
if (@array_search($username, $opts['skip_users']) !== false) {
return;
}
remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3);
$userdata = get_user_by('login', $username);
if (!$userdata) {
return self::wp_error('invalid_username', __('Invalid username.'));
}
if (is_multisite()) {
// Is user marked as spam?
if (1 == $userdata->spam) {
return self::wp_error('invalid_username', __('Your account has been marked as a spammer.'));
}
// Is a user's blog marked as spam?
if (!is_super_admin($userdata->ID) && isset($userdata->primary_blog)) {
$details = get_blog_details($userdata->primary_blog);
if (is_object($details) && $details->spam == 1) {
return self::wp_error('blog_suspended', __('Site Suspended.'));
}
}
}
$OTP = trim($_POST['otp']);
$radiuspass = $password;
if (!empty($OTP)) {
$radiuspass = $password . $opts['pwd_otp_sep'] . $OTP;
}
if (!function_exists('radius_auth_open')) {
return self::wp_error('missing_php_radius', 'Missing php-radius');
}
if (!TwoFactorRadiusAuth::isConfigured()) {
return self::wp_error('missing_plugin_settings', __('Missing auth server settings'));
}
$reply_message = '';
try {
$rad = radius_auth_open();
if (!radius_add_server($rad, $opts['s1_host'], $opts['s1_port'], $opts['s1_secr'], $opts['timeout'], $opts['max_tries'])) {
throw new Exception(radius_strerror($rad));
}
if (!empty($opts['s2_host']) && !empty($opts['s2_port']) && !empty($opts['s2_secr'])) {
if (!radius_add_server($rad, $opts['s2_host'], $opts['s2_port'], $opts['s2_secr'], $opts['timeout'], $opts['max_tries'])) {
throw new Exception(radius_strerror($rad));
}
}
if (!radius_create_request($rad, RADIUS_ACCESS_REQUEST)) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_string($rad, RADIUS_NAS_IDENTIFIER, '1')) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_int($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_int($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
throw new Exception(radius_strerror($rad));
}
$station = isset($REMOTE_HOST) ? $REMOTE_HOST : '127.0.0.1';
if (!radius_put_string($rad, RADIUS_CALLING_STATION_ID, $station) == -1) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_string($rad, RADIUS_USER_NAME, $username)) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_string($rad, RADIUS_USER_PASSWORD, $radiuspass)) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_int($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_int($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
throw new Exception(radius_strerror($rad));
}
$res = radius_send_request($rad);
if (!$res) {
throw new Exception(radius_strerror($rad));
}
while ($rattr = radius_get_attr($rad)) {
if ($rattr['attr'] == 18) {
$reply_message = $rattr['data'];
break;
}
}
} catch (Exception $exp) {
return self::wp_error('radius_error', $exp->getMessage());
}
switch ($res) {
case RADIUS_ACCESS_ACCEPT:
$userdata->user_pass = wp_hash_password($password);
return new WP_User($userdata->ID);
break;
case RADIUS_ACCESS_REJECT:
switch ($reply_message) {
case 'LDAP USER NOT FOUND':
if ($opts['use_wp_auth'] == 'on') {
add_filter('authenticate', 'wp_authenticate_username_password', 10, 3);
return null;
} else {
return self::wp_error('invalid_username', __('Unknown user'));
}
case 'INVALID OTP':
default:
return self::wp_error('incorrect_password', __('Wrong password/OTP'));
}
break;
default:
return self::wp_error('denied', __('Unknown error'));
}
}
exit;
}
} else {
echo "PAP<br>\n";
if (!radius_put_string($res, RADIUS_USER_PASSWORD, "sepp")) {
echo 'RadiusError:' . radius_strerror($res) . "<br>\n";
exit;
}
}
}
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
$req = radius_send_request($res);
if (!$req) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
switch ($req) {
case RADIUS_ACCESS_ACCEPT:
echo "Radius Request accepted<br>\n";
break;
case RADIUS_ACCESS_REJECT:
echo "Radius Request rejected<br>\n";
break;
/**
* authenticate user against radius
* @param $username username to authenticate
* @param $password user password
* @return bool authentication status
*/
public function authenticate($username, $password)
{
$this->lastAuthProperties = array();
// reset auth properties
$radius = radius_auth_open();
$error = null;
if (!radius_add_server($radius, $this->radiusHost, $this->authPort, $this->sharedSecret, $this->timeout, $this->maxRetries)) {
$error = radius_strerror($radius);
} elseif (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
$error = radius_strerror($radius);
} elseif (!radius_put_string($radius, RADIUS_USER_NAME, $username)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_SERVICE_TYPE, RADIUS_LOGIN)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_FRAMED_PROTOCOL, RADIUS_ETHERNET)) {
$error = radius_strerror($radius);
} elseif (!radius_put_string($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_NAS_PORT, 0)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET)) {
$error = radius_strerror($radius);
} else {
// Implement extra protocols in this section.
switch ($this->protocol) {
case 'PAP':
// do PAP authentication
if (!radius_put_string($radius, RADIUS_USER_PASSWORD, $password)) {
$error = radius_strerror($radius);
}
break;
default:
syslog(LOG_ERR, 'Unsupported protocol ' . $this->protocol);
return false;
}
}
// log errors and perform actual authentication request
if ($error != null) {
syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error));
} else {
$request = radius_send_request($radius);
if (!$radius) {
syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error));
} else {
switch ($request) {
case RADIUS_ACCESS_ACCEPT:
while ($resa = radius_get_attr($radius)) {
switch ($resa['attr']) {
case RADIUS_SESSION_TIMEOUT:
$this->lastAuthProperties['session_timeout'] = radius_cvt_int($resa['data']);
break;
case 85:
// Acct-Interim-Interval
$this->lastAuthProperties['Acct-Interim-Interval'] = radius_cvt_int($resa['data']);
break;
default:
break;
}
}
return true;
break;
case RADIUS_ACCESS_REJECT:
return false;
break;
default:
// unexpected result, log
syslog(LOG_ERR, 'Radius unexpected response:' . $request);
}
}
}
return false;
}
