$authChallenge = GenerateChallenge(16); printf("Auth Challenge:%s\n", bin2hex($authChallenge)); if (!radius_put_vendor_attr($res, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $authChallenge)) { echo 'RadiusError: RADIUS_MICROSOFT_MS_CHAP_CHALLENGE:' . radius_strerror($res) . "<br>\n"; exit; } // we have no client, therefore we generate the Peer-Challenge $peerChallenge = GeneratePeerChallenge(); printf("Peer Challenge:%s\n", bin2hex($peerChallenge)); $ntresp = GenerateNTResponse($authChallenge, $peerChallenge, $username, $password); $reserved = str_repeat("", 8); printf("NT Response:%s\n", bin2hex($ntresp)); // Response: chapid, flags (1 = use NT Response), Peer challenge, reserved, Response $resp = pack('CCa16a8a24', 1, 1, $peerChallenge, $reserved, $ntresp); printf("Response:%d %s\n", strlen($resp), bin2hex($resp)); if (!radius_put_vendor_attr($res, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP2_RESPONSE, $resp)) { echo 'RadiusError: RADIUS_MICROSOFT_MS_CHAP2_RESPONSE:' . radius_strerror($res) . "<br>\n"; exit; } } else { echo "PAP<br>\n"; if (!radius_put_string($res, RADIUS_USER_PASSWORD, "sepp")) { echo 'RadiusError:' . radius_strerror($res) . "<br>\n"; exit; } } } } if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { echo 'RadiusError:' . radius_strerror($res) . "\n<br>"; exit;
/** * Puts a vendor-specific attribute. * * @access public * @param integer $vendor Vendor (MSoft, Cisco, ...) * @param integer $attrib Attribute-number * @param mixed $port Attribute-value * @param type $type Attribute-type * @return bool true on success, false on error */ function putVendorAttribute($vendor, $attrib, $value, $type = null) { if ($type == null) { $type = gettype($value); } switch ($type) { case 'integer': case 'double': return radius_put_vendor_int($this->res, $vendor, $attrib, $value); case 'addr': return radius_put_vendor_addr($this->res, $vendor, $attrib, $value); case 'string': default: return radius_put_vendor_attr($this->res, $vendor, $attrib, $value); } }
/** * Check username and password against RADIUS authentication backend. * * @param string $username User name to check * @param string $password User password to check * @return int Authentication success (0 = fail, 1 = success) FIXME bool */ function radius_authenticate($username, $password) { global $config, $rad; radius_init(); if ($username && $rad) { //print_vars(radius_server_secret($rad)); radius_create_request($rad, RADIUS_ACCESS_REQUEST); radius_put_attr($rad, RADIUS_USER_NAME, $username); switch (strtolower($config['auth_radius_method'])) { // CHAP-MD5 see RFC1994 case 'chap': case 'chap_md5': $chapid = 1; // Specify a CHAP identifier //$challenge = mt_rand(); // Generate a challenge //$cresponse = md5(pack('Ca*', $chapid, $password.$challenge), TRUE); new Crypt_CHAP(); // Pre load class $crpt = new Crypt_CHAP_MD5(); $crpt->password = $password; $challenge = $crpt->challenge; $resp_md5 = $crpt->challengeResponse(); $resp = pack('C', $chapid) . $resp_md5; radius_put_attr($rad, RADIUS_CHAP_PASSWORD, $resp); // Add the Chap-Password attribute radius_put_attr($rad, RADIUS_CHAP_CHALLENGE, $challenge); // Add the Chap-Challenge attribute. break; // MS-CHAPv1 see RFC2433 // MS-CHAPv1 see RFC2433 case 'mschapv1': $chapid = 1; // Specify a CHAP identifier $flags = 1; // 0 = use LM-Response, 1 = use NT-Response (we not use old LM) new Crypt_CHAP(); // Pre load class $crpt = new Crypt_CHAP_MSv1(); $crpt->password = $password; $challenge = $crpt->challenge; $resp_lm = str_repeat("", 24); $resp_nt = $crpt->challengeResponse(); $resp = pack('CC', $chapid, $flags) . $resp_lm . $resp_nt; radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_RESPONSE, $resp); radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge); break; // MS-CHAPv2 see RFC2759 // MS-CHAPv2 see RFC2759 case 'mschapv2': $chapid = 1; // Specify a CHAP identifier $flags = 1; // 0 = use LM-Response, 1 = use NT-Response (we not use old LM) new Crypt_CHAP(); // Pre load class $crpt = new Crypt_CHAP_MSv2(); $crpt->username = $username; $crpt->password = $password; $challenge = $crpt->authChallenge; $challenge_p = $crpt->peerChallenge; $resp_nt = $crpt->challengeResponse(); // Response: chapid, flags (1 = use NT Response), Peer challenge, reserved, Response $resp = pack('CCa16a8a24', $chapid, $flags, $challenge_p, str_repeat("", 8), $resp_nt); radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP2_RESPONSE, $resp); radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge); break; // PAP (Plaintext) // PAP (Plaintext) default: radius_put_attr($rad, RADIUS_USER_PASSWORD, $password); } // Puts standard attributes $radius_ip = get_ip_version($config['auth_radius_nas_address']) ? $config['auth_radius_nas_address'] : $_SERVER['SERVER_ADDR']; if (get_ip_version($radius_ip) == 6) { // FIXME, not sure that this work correctly radius_put_attr($rad, RADIUS_NAS_IPV6_ADDRESS, $radius_ip); } else { radius_put_addr($rad, RADIUS_NAS_IP_ADDRESS, $radius_ip); } $radius_id = empty($config['auth_radius_id']) ? get_localhost() : $config['auth_radius_id']; radius_put_attr($rad, RADIUS_NAS_IDENTIFIER, $radius_id); //radius_put_attr($rad, RADIUS_NAS_PORT_TYPE, RADIUS_VIRTUAL); //radius_put_attr($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED); //radius_put_attr($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP); radius_put_attr($rad, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1'); $response = radius_send_request($rad); //print_vars($response); switch ($response) { case RADIUS_ACCESS_ACCEPT: // An Access-Accept response to an Access-Request indicating that the RADIUS server authenticated the user successfully. //echo 'Authentication successful'; return 1; break; case RADIUS_ACCESS_REJECT: // An Access-Reject response to an Access-Request indicating that the RADIUS server could not authenticate the user. //echo 'Authentication failed'; break; case RADIUS_ACCESS_CHALLENGE: // An Access-Challenge response to an Access-Request indicating that the RADIUS server requires further information // in another Access-Request before authenticating the user. //echo 'Challenge required'; break; default: print_error('A RADIUS error has occurred: ' . radius_strerror($rad)); } } //session_logout(); return 0; }