function login($username, $password)
{
$radius = radius_auth_open();
if (!radius_add_server($radius, RADIUS_HOST, RADIUS_PORT, RADIUS_SECRET, RADIUS_TIMEOUT, RADIUS_MAXTRIES)) {
die('Radius Error: ' . radius_strerror($radius));
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
die('Radius Error: ' . radius_strerror($radius));
}
radius_put_attr($radius, RADIUS_USER_NAME, $username);
radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, RADIUS_IDENTIFIER);
$response = radius_send_request($radius);
if ($response == RADIUS_ACCESS_ACCEPT) {
$_SESSION['loggedin'] = $username;
$_SESSION['userlevel'] = RADIUS_USERLEVEL;
//User level set in settings.php
return true;
} else {
if ($response == RADIUS_ACCESS_CHALLENGE) {
//Challenge
return false;
}
}
return false;
}
private function _sendPOD($session)
{
$nas = $session[0]['nas'];
$username = $session[0]['login'];
$session_id = str_replace('sid_', '', $session[0]['id']);
$radport = 3799;
$sharedsecret = 'brascoa';
$res = radius_acct_open();
radius_add_server($res, $nas, $radport, $sharedsecret, 3, 1);
radius_create_request($res, RADIUS_DISCONNECT_REQUEST);
// radius_put_string($res, RADIUS_NAS_IP_ADDRESS, 0);
radius_put_string($res, RADIUS_USER_NAME, $username);
radius_put_string($res, RADIUS_ACCT_SESSION_ID, $session_id);
$reply = radius_send_request($res);
switch ($reply) {
case RADIUS_COA_ACK:
case RADIUS_DISCONNECT_ACK:
$result = "CoA-ACK\n";
break;
case RADIUS_COA_NAK:
case RADIUS_DISCONNECT_NAK:
$result = "CoA-NAK\n";
break;
default:
return "Unsupported reply\n";
}
while ($resa = radius_get_attr($res)) {
$data = $resa['data'];
$value = radius_cvt_int($data);
switch ($value) {
case 401:
$result = "Unsupported Attribute\n";
break;
case 402:
$result = "Missing Attribute\n";
break;
case 403:
$result = "NAS Identification mismatch [{$nas}]\n";
break;
case 404:
$result = "Invalid Request\n";
break;
case 503:
$result = "Session context not found\n";
break;
case 506:
$result = "Resources unavailable\n";
break;
default:
$result = "Unsupported Error-Cause\n";
}
}
radius_close($res);
return $result;
}
public function prepareRequest($res, $login, $pass, $seed)
{
if (!radius_add_server($res, $this->radiusServer, $this->radiusPort, $this->radiusSecret, 3, 3)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not add server (" . radius_strerror($res) . ")");
return false;
}
if (!radius_create_request($res, RADIUS_ACCESS_REQUEST)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not create request (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_string($res, RADIUS_NAS_IDENTIFIER, isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : 'localhost')) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for nas_identifier (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for service_type (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for framed_protocol (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_string($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1') == -1) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for calling_station_id (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_string($res, RADIUS_USER_NAME, $login)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for user name (" . radius_strerror($res) . ")");
return false;
}
if ($this->radiusAuthType == 'chap') {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Using CHAP.");
mt_srand(time());
$chall = mt_rand();
$chapval = pack('H*', md5(pack('Ca*', 1, $pass . $chall)));
$pass = pack('C', 1) . $chapval;
if (!radius_put_attr($res, RADIUS_CHAP_PASSWORD, $pass)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put attribute for chap password (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_attr($res, RADIUS_CHAP_CHALLENGE, $chall)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put attribute for chap callenge (" . radius_strerror($res) . ")");
return false;
}
} else {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Using PAP.");
if (!radius_put_string($res, RADIUS_USER_PASSWORD, $pass)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for pap password (" . radius_strerror($res) . ")");
return false;
}
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for second service type (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for second framed protocol (" . radius_strerror($res) . ")");
return false;
}
}
function radius_init()
{
global $rad, $config;
if (!is_resource($rad)) {
$success = 0;
$rad = radius_auth_open();
foreach ($config['auth_radius_server'] as $server) {
if (radius_add_server($rad, $server, $config['auth_radius_port'], $config['auth_radius_secret'], $config['auth_radius_timeout'], $config['auth_radius_retries'])) {
$success = 1;
}
}
if (!$success) {
print_error("致命错误: 无法连接到配置RADIUS服务器.");
session_logout();
exit;
}
}
}
function radius_init()
{
global $rad, $config;
if (!is_resource($rad)) {
$success = 0;
$rad = radius_auth_open();
foreach ($config['auth_radius_server'] as $server) {
if (radius_add_server($rad, $server, $config['auth_radius_port'], $config['auth_radius_secret'], $config['auth_radius_timeout'], $config['auth_radius_retries'])) {
$success = 1;
}
}
if (!$success) {
print_error("Fatal error: Could not connect to configured RADIUS server(s).");
session_logout();
exit;
}
}
}
# PAM code by Owen Brotherhood & Bruberg
if (!extension_loaded('pam_auth')) {
dl('pam_auth.so');
}
# dl removed in PHP5.3?
$uok = pam_auth($user, $_POST['pass']);
$query = GenQuery('users', 's', '*', '', '', array('usrname'), array('='), array($user));
$res = DbQuery($query, $link);
} elseif (strstr($guiauth, 'radius') && $user != "admin") {
# Radius code by Till Elsner
$radres = radius_auth_open();
if (!$radres) {
$raderr = "Error while preparing RADIUS authentication: " . radius_strerror($radres);
}
foreach ($radsrv as $rs) {
if (!radius_add_server($radres, $rs[0], $rs[1], $rs[2], $rs[3], $rs[4])) {
echo "<h4>RADIUS: " . radius_strerror($radres) . "</h4>";
}
}
if (!radius_create_request($radres, RADIUS_ACCESS_REQUEST)) {
$raderr = "RADIUS create: " . radius_strerror($radres);
}
if (!(radius_put_string($radres, RADIUS_USER_NAME, $user) && radius_put_string($radres, RADIUS_USER_PASSWORD, $_POST['pass']) && radius_put_string($radres, RADIUS_CALLING_STATION_ID, $_SERVER['REMOTE_ADDR']) && radius_put_addr($radres, RADIUS_NAS_IP_ADDRESS, $_SERVER['SERVER_ADDR']))) {
$raderr = "RADIUS put: " . radius_strerror($radres);
}
$radauth = radius_send_request($radres);
if (!$radauth) {
$raderr = "RADIUS send: " . radius_strerror($radres);
} else {
switch ($radauth) {
case RADIUS_ACCESS_ACCEPT:
/**
* Attempt to log in using the given username and password.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the user's attributes.
*/
protected function login($username, $password)
{
assert('is_string($username)');
assert('is_string($password)');
$radius = radius_auth_open();
/* Try to add all radius servers, trigger a failure if no one works. */
$success = false;
foreach ($this->servers as $server) {
if (!isset($server['port'])) {
$server['port'] = 1812;
}
if (!radius_add_server($radius, $server['hostname'], $server['port'], $server['secret'], $this->timeout, $this->retries)) {
SimpleSAML\Logger::info("Could not add radius server: " . radius_strerror($radius));
continue;
}
$success = true;
}
if (!$success) {
throw new Exception('Error adding radius servers, no servers available');
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
throw new Exception('Error creating radius request: ' . radius_strerror($radius));
}
if ($this->realm === null) {
radius_put_attr($radius, RADIUS_USER_NAME, $username);
} else {
radius_put_attr($radius, RADIUS_USER_NAME, $username . '@' . $this->realm);
}
radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
if ($this->nasIdentifier !== null) {
radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier);
}
$res = radius_send_request($radius);
if ($res != RADIUS_ACCESS_ACCEPT) {
switch ($res) {
case RADIUS_ACCESS_REJECT:
/* Invalid username or password. */
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
case RADIUS_ACCESS_CHALLENGE:
throw new Exception('Radius authentication error: Challenge requested, but not supported.');
default:
throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
}
}
/* If we get this far, we have a valid login. */
$attributes = array();
if ($this->usernameAttribute !== null) {
$attributes[$this->usernameAttribute] = array($username);
}
if ($this->vendor === null) {
/*
* We aren't interested in any vendor-specific attributes. We are
* therefore done now.
*/
return $attributes;
}
/* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */
while ($resa = radius_get_attr($radius)) {
if (!is_array($resa)) {
throw new Exception('Error getting radius attributes: ' . radius_strerror($radius));
}
/* Use the received user name */
if ($resa['attr'] == RADIUS_USER_NAME) {
$attributes[$this->usernameAttribute] = array($resa['data']);
continue;
}
if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) {
continue;
}
$resv = radius_get_vendor_attr($resa['data']);
if (!is_array($resv)) {
throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius));
}
$vendor = $resv['vendor'];
$attrv = $resv['attr'];
$datav = $resv['data'];
if ($vendor != $this->vendor || $attrv != $this->vendorType) {
continue;
}
$attrib_name = strtok($datav, '=');
$attrib_value = strtok('=');
/* if the attribute name is already in result set,
add another value */
if (array_key_exists($attrib_name, $attributes)) {
$attributes[$attrib_name][] = $attrib_value;
} else {
$attributes[$attrib_name] = array($attrib_value);
}
}
/* end of contribution */
return $attributes;
}
/**
* Autentica un usuario usando el adaptador
*
* @return boolean
*/
public function authenticate()
{
$radius = radius_auth_open();
if (!$radius) {
throw new KumbiaException("No se pudo crear el autenticador de Radius");
}
if (!radius_add_server($radius, $this->server, $this->port, $this->secret, $this->timeout, $this->max_retries)) {
throw new KumbiaException(radius_strerror($radius));
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
throw new KumbiaException(radius_strerror($radius));
}
if (!radius_put_string($radius, RADIUS_USER_NAME, $this->username)) {
throw new KumbiaException(radius_strerror($radius));
}
if (!radius_put_string($radius, RADIUS_USER_PASSWORD, $this->password)) {
throw new KumbiaException(radius_strerror($radius));
}
if (!radius_put_int($radius, RADIUS_AUTHENTICATE_ONLY, 1)) {
throw new KumbiaException(radius_strerror($radius));
}
$this->resource = $radius;
if (radius_send_request($radius) == RADIUS_ACCESS_ACCEPT) {
return true;
} else {
return false;
}
}
/**
* Configures the radius library.
*
* @access public
* @param string $servername Servername or IP-Address
* @param integer $port Portnumber
* @param string $sharedSecret Shared secret
* @param integer $timeout Timeout for each request
* @param integer $maxtries Max. retries for each request
* @return bool true on success, false on error
* @see addServer()
*/
function putServer($servername, $port = 0, $sharedsecret = 'testing123', $timeout = 3, $maxtries = 3)
{
if (!radius_add_server($this->res, $servername, $port, $sharedsecret, $timeout, $maxtries)) {
return false;
}
return true;
}
/**
* Try to connect to a radius server
*
* @return boolean TRUE for success, FALSE for failure
*/
function connect()
{
if (!($this->connection = radius_auth_open())) {
$this->makeErrorText('RADIUS open failed: ');
return FALSE;
}
foreach ($this->server as $k => $s) {
if (!radius_add_server($this->connection, $s, $this->port, $this->secret[$k], 15, 1)) {
$this->makeErrorText('RADIUS add server failed: ');
return FALSE;
}
}
return TRUE;
}
/**
* Find out if a set of login credentials are valid.
*
* @param string $username The userId to check.
* @param array $credentials An array of login credentials.
* For radius, this must contain a password
* entry.
*
* @throws Horde_Auth_Exception
*/
protected function _authenticate($username, $credentials)
{
/* Password is required. */
if (!isset($credentials['password'])) {
throw new Horde_Auth_Exception('Password required for RADIUS authentication.');
}
$res = radius_auth_open();
radius_add_server($res, $this->_params['host'], $this->_params['port'], $this->_params['secret'], $this->_params['timeout'], $this->_params['retries']);
radius_create_request($res, RADIUS_ACCESS_REQUEST);
radius_put_attr($res, RADIUS_NAS_IDENTIFIER, $this->_params['nas']);
radius_put_attr($res, RADIUS_NAS_PORT_TYPE, RADIUS_VIRTUAL);
radius_put_attr($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED);
radius_put_attr($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP);
radius_put_attr($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : '127.0.0.1');
/* Insert username/password into request. */
radius_put_attr($res, RADIUS_USER_NAME, $username);
radius_put_attr($res, RADIUS_USER_PASSWORD, $credentials['password']);
/* Send request. */
$success = radius_send_request($res);
switch ($success) {
case RADIUS_ACCESS_ACCEPT:
break;
case RADIUS_ACCESS_REJECT:
throw new Horde_Auth_Exception('Authentication rejected by RADIUS server.');
default:
throw new Horde_Auth_Exception(radius_strerror($res));
}
}
/**
* This is the main authentication function of the plugin. Given both the
* username and password it will make use of the options set to authenticate
* against the configured RADIUS servers.
*/
function checkLogin($user, $username, $password)
{
if (is_a($user, 'WP_User')) {
return $user;
}
if (empty($username)) {
return self::wp_error('empty_username', __('The username field is empty.'));
}
if (empty($password)) {
return self::wp_error('empty_password', __('The password field is empty.'));
}
$opts = TwoFactorRadiusAuth::getOptions();
// skip radius for user
if (@array_search($username, $opts['skip_users']) !== false) {
return;
}
remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3);
$userdata = get_user_by('login', $username);
if (!$userdata) {
return self::wp_error('invalid_username', __('Invalid username.'));
}
if (is_multisite()) {
// Is user marked as spam?
if (1 == $userdata->spam) {
return self::wp_error('invalid_username', __('Your account has been marked as a spammer.'));
}
// Is a user's blog marked as spam?
if (!is_super_admin($userdata->ID) && isset($userdata->primary_blog)) {
$details = get_blog_details($userdata->primary_blog);
if (is_object($details) && $details->spam == 1) {
return self::wp_error('blog_suspended', __('Site Suspended.'));
}
}
}
$OTP = trim($_POST['otp']);
$radiuspass = $password;
if (!empty($OTP)) {
$radiuspass = $password . $opts['pwd_otp_sep'] . $OTP;
}
if (!function_exists('radius_auth_open')) {
return self::wp_error('missing_php_radius', 'Missing php-radius');
}
if (!TwoFactorRadiusAuth::isConfigured()) {
return self::wp_error('missing_plugin_settings', __('Missing auth server settings'));
}
$reply_message = '';
try {
$rad = radius_auth_open();
if (!radius_add_server($rad, $opts['s1_host'], $opts['s1_port'], $opts['s1_secr'], $opts['timeout'], $opts['max_tries'])) {
throw new Exception(radius_strerror($rad));
}
if (!empty($opts['s2_host']) && !empty($opts['s2_port']) && !empty($opts['s2_secr'])) {
if (!radius_add_server($rad, $opts['s2_host'], $opts['s2_port'], $opts['s2_secr'], $opts['timeout'], $opts['max_tries'])) {
throw new Exception(radius_strerror($rad));
}
}
if (!radius_create_request($rad, RADIUS_ACCESS_REQUEST)) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_string($rad, RADIUS_NAS_IDENTIFIER, '1')) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_int($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_int($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
throw new Exception(radius_strerror($rad));
}
$station = isset($REMOTE_HOST) ? $REMOTE_HOST : '127.0.0.1';
if (!radius_put_string($rad, RADIUS_CALLING_STATION_ID, $station) == -1) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_string($rad, RADIUS_USER_NAME, $username)) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_string($rad, RADIUS_USER_PASSWORD, $radiuspass)) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_int($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
throw new Exception(radius_strerror($rad));
}
if (!radius_put_int($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
throw new Exception(radius_strerror($rad));
}
$res = radius_send_request($rad);
if (!$res) {
throw new Exception(radius_strerror($rad));
}
while ($rattr = radius_get_attr($rad)) {
if ($rattr['attr'] == 18) {
$reply_message = $rattr['data'];
break;
}
}
} catch (Exception $exp) {
return self::wp_error('radius_error', $exp->getMessage());
}
switch ($res) {
case RADIUS_ACCESS_ACCEPT:
$userdata->user_pass = wp_hash_password($password);
return new WP_User($userdata->ID);
break;
case RADIUS_ACCESS_REJECT:
switch ($reply_message) {
case 'LDAP USER NOT FOUND':
if ($opts['use_wp_auth'] == 'on') {
add_filter('authenticate', 'wp_authenticate_username_password', 10, 3);
return null;
} else {
return self::wp_error('invalid_username', __('Unknown user'));
}
case 'INVALID OTP':
default:
return self::wp_error('incorrect_password', __('Wrong password/OTP'));
}
break;
default:
return self::wp_error('denied', __('Unknown error'));
}
}
/**
* Attempt to log in using the given username and password.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the users attributes.
*/
protected function login($username, $password)
{
assert('is_string($username)');
assert('is_string($password)');
$radius = radius_auth_open();
if (!radius_add_server($radius, $this->hostname, $this->port, $this->secret, $this->timeout, $this->retries)) {
throw new Exception('Error connecting to radius server: ' . radius_strerror($radius));
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
throw new Exception('Error creating radius request: ' . radius_strerror($radius));
}
radius_put_attr($radius, RADIUS_USER_NAME, $username);
radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
if ($this->nasIdentifier != NULL) {
radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier);
}
$res = radius_send_request($radius);
if ($res != RADIUS_ACCESS_ACCEPT) {
switch ($res) {
case RADIUS_ACCESS_REJECT:
/* Invalid username or password. */
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
case RADIUS_ACCESS_CHALLENGE:
throw new Exception('Radius authentication error: Challenge requested, but not supported.');
default:
throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
}
}
/* If we get this far, we have a valid login. */
$attributes = array();
if ($this->usernameAttribute !== NULL) {
$attributes[$this->usernameAttribute] = array($username);
}
if ($this->vendor === NULL) {
/*
* We aren't interrested in any vendor-specific attributes. We are
* therefore done now.
*/
return $attributes;
}
/* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */
while ($resa = radius_get_attr($radius)) {
if (!is_array($resa)) {
throw new Exception('Error getting radius attributes: ' . radius_strerror($radius));
}
if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) {
continue;
}
$resv = radius_get_vendor_attr($resa['data']);
if (!is_array($resv)) {
throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius));
}
$vendor = $resv['vendor'];
$attrv = $resv['attr'];
$datav = $resv['data'];
/*
* Uncomment this to debug vendor attributes.
*/
//printf("Got Vendor Attr:%d %d Bytes %s<br/>", $attrv, strlen($datav), bin2hex($datav));
if ($vendor != $this->vendor || $attrv != $this->vendorType) {
continue;
}
$attrib_name = strtok($datav, '=');
$attrib_value = strtok('=');
/* if the attribute name is already in result set, add another value */
if (array_key_exists($attrib_name, $attributes)) {
$attributes[$attrib_name][] = $attrib_value;
} else {
$attributes[$attrib_name] = array($attrib_value);
}
}
/* end of contribution */
return $attributes;
}
/**
* Adds a RADIUS server to try to authenticate. Up to 10 servers can be specified.
* @param string $hostname The hostname or IP address of the server.
* @param int $port The port on which authentication is listening. Usually 1812.
* @param string $secret The shared secret for the server host.
* @param integer $timeout Timeout in seconds to wait for a server reply
* @param integer $maxTries Maximum number of repeated requests before giving up
* @throws Zend_Auth_Adapter_Exception If the server cannot be added
*/
public function addServer($hostname, $port = self::DEFAULT_PORT, $secret = null, $timeout = self::DEFAULT_TIMEOUT, $maxTries = self::DEFAULT_MAXTRIES)
{
if (count($this->options['servers']) == self::MAX_SERVER_COUNT) {
throw new InvalidArgumentException('A maximum of ' . self::MAX_SERVER_COUNT . ' can be added.');
}
if (!radius_add_server($this->radius, $hostname, $port, $secret, $timeout, $maxTries)) {
throw new InvalidArgumentException('Error adding RADIUS server: ' . radius_strerror($this->radius));
}
$this->options['servers'][] = array('hostname' => $hostname, 'port' => $port, 'secret' => $secret, 'timeout' => $timeout, 'maxTries' => $maxTries);
return $this;
}
/**
* authenticate user against radius
* @param $username username to authenticate
* @param $password user password
* @return bool authentication status
*/
public function authenticate($username, $password)
{
$this->lastAuthProperties = array();
// reset auth properties
$radius = radius_auth_open();
$error = null;
if (!radius_add_server($radius, $this->radiusHost, $this->authPort, $this->sharedSecret, $this->timeout, $this->maxRetries)) {
$error = radius_strerror($radius);
} elseif (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
$error = radius_strerror($radius);
} elseif (!radius_put_string($radius, RADIUS_USER_NAME, $username)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_SERVICE_TYPE, RADIUS_LOGIN)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_FRAMED_PROTOCOL, RADIUS_ETHERNET)) {
$error = radius_strerror($radius);
} elseif (!radius_put_string($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_NAS_PORT, 0)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET)) {
$error = radius_strerror($radius);
} else {
// Implement extra protocols in this section.
switch ($this->protocol) {
case 'PAP':
// do PAP authentication
if (!radius_put_string($radius, RADIUS_USER_PASSWORD, $password)) {
$error = radius_strerror($radius);
}
break;
default:
syslog(LOG_ERR, 'Unsupported protocol ' . $this->protocol);
return false;
}
}
// log errors and perform actual authentication request
if ($error != null) {
syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error));
} else {
$request = radius_send_request($radius);
if (!$radius) {
syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error));
} else {
switch ($request) {
case RADIUS_ACCESS_ACCEPT:
while ($resa = radius_get_attr($radius)) {
switch ($resa['attr']) {
case RADIUS_SESSION_TIMEOUT:
$this->lastAuthProperties['session_timeout'] = radius_cvt_int($resa['data']);
break;
case 85:
// Acct-Interim-Interval
$this->lastAuthProperties['Acct-Interim-Interval'] = radius_cvt_int($resa['data']);
break;
default:
break;
}
}
return true;
break;
case RADIUS_ACCESS_REJECT:
return false;
break;
default:
// unexpected result, log
syslog(LOG_ERR, 'Radius unexpected response:' . $request);
}
}
}
return false;
}
function authExternalUser($login, $password)
{
$res = radius_auth_open();
if (!radius_add_server($res, $this->config['radius_server'], $this->config['radius_port'], $this->config['sharedsecret'], 3, 3)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_create_request($res, RADIUS_ACCESS_REQUEST)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_string($res, RADIUS_NAS_IDENTIFIER, isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost')) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_string($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : '127.0.0.1') == -1) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_string($res, RADIUS_USER_NAME, $login)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if ($password) {
if (!radius_put_string($res, RADIUS_USER_PASSWORD, $password)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
$req = radius_send_request($res);
if (!$req) {
debug('RadiusError:' . radius_strerror($res) . "\n", 'auth');
return false;
}
$user = false;
switch ($req) {
case RADIUS_ACCESS_ACCEPT:
$userData = array();
$userData["name"] = $login;
$userData["newpass1"] = '!';
$userData["newpass2"] = '!';
$user = $this->storeExternalUser($login, $userData);
break;
case RADIUS_ACCESS_REJECT:
debug("RadiusError: Radius Request rejected\n", 'auth');
break;
default:
debug("RadiusError: Unknown answer\n", 'auth');
}
return $user;
}
SimpleSAML_Logger::warning('The file auth/login-radius.php is deprecated and will be removed in future versions.');
SimpleSAML_Logger::info('AUTH - radius: Accessing auth endpoint login');
$error = null;
$attributes = array();
/* Load the RelayState argument. The RelayState argument contains the address
* we should redirect the user to after a successful authentication.
*/
if (!array_key_exists('RelayState', $_REQUEST)) {
throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
$relaystate = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']);
if (isset($_POST['username'])) {
try {
$radius = radius_auth_open();
// ( resource $radius_handle, string $hostname, int $port, string $secret, int $timeout, int $max_tries )
if (!radius_add_server($radius, $config->getValue('auth.radius.hostname'), $config->getValue('auth.radius.port'), $config->getValue('auth.radius.secret'), 5, 3)) {
SimpleSAML_Logger::critical('AUTH - radius: Problem occurred when connecting to Radius server: ' . radius_strerror($radius));
throw new Exception('Problem occurred when connecting to Radius server: ' . radius_strerror($radius));
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
SimpleSAML_Logger::critical('AUTH - radius: Problem occurred when creating the Radius request: ' . radius_strerror($radius));
throw new Exception('Problem occurred when creating the Radius request: ' . radius_strerror($radius));
}
radius_put_attr($radius, RADIUS_USER_NAME, $_POST['username']);
radius_put_attr($radius, RADIUS_USER_PASSWORD, $_POST['password']);
switch (radius_send_request($radius)) {
case RADIUS_ACCESS_ACCEPT:
// GOOD Login :)
$attributes = array($config->getValue('auth.radius.URNForUsername') => array($_POST['username']));
// get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA
while ($resa = radius_get_attr($radius)) {
$starttime = time();
if (!isset($REMOTE_ADDR)) {
$REMOTE_ADDR = '127.0.0.1';
}
$res = radius_acct_open();
echo "{$res}<br>\n";
//if (!radius_config($res, '/etc/radius.conf')) {
/*if (!radius_config($res, 'D:/php-devel/pear/PECL/radius/radius.conf')) {
echo 'RadiusError:' . radius_strerror($res). "\n<br>";
exit;
}*/
if (!radius_add_server($res, $radserver, $radport, $sharedsecret, 3, 3)) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
if (!radius_add_server($res, $radserver, $radport, 'testing123', 3, 3)) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
if (!radius_create_request($res, RADIUS_ACCOUNTING_REQUEST)) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
if (!radius_put_string($res, RADIUS_NAS_IDENTIFIER, isset($HTTP_HOST) ? $HTTP_HOST : 'localhost')) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
$username = '******';
$radserver = 'localhost';
$radport = 1813;
$starttime = time();
$sharedsecret = 'testing123';
if (!isset($REMOTE_ADDR)) {
$REMOTE_ADDR = '127.0.0.1';
}
$res = radius_acct_open();
echo "{$res}<br>\n";
//if (!radius_config($res, '/etc/radius.conf')) {
/*if (!radius_config($res, 'D:/php-devel/pear/PECL/radius/radius.conf')) {
echo 'RadiusError:' . radius_strerror($res). "\n<br>";
exit;
}*/
if (!radius_add_server($res, $radserver, $radport, $sharedsecret, 3, 3)) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
if (!radius_create_request($res, RADIUS_ACCOUNTING_REQUEST)) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
if (!radius_put_string($res, RADIUS_NAS_IDENTIFIER, isset($HTTP_HOST) ? $HTTP_HOST : 'localhost')) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
echo 'RadiusError:' . radius_strerror($res) . "\n<br>";
exit;
}
/**
* Perform authentication using a RADIUS server.
*
* @param Mfa_OtpdeviceDao $otpDevice
* @param Mfa_ApitokenDao $token
* @throws Zend_Exception
*/
protected function _radiusauth($otpDevice, $token)
{
/** @var SettingModel $settingModel */
$settingModel = MidasLoader::loadModel('Setting');
$radiusserver = $settingModel->GetValueByName('radiusServer', 'mfa');
$radiusport = $settingModel->GetValueByName('radiusPort', 'mfa');
$radiuspw = $settingModel->GetValueByName('radiusPassword', 'mfa');
$radiusTimeout = $settingModel->GetValueByName('radiusTimeout', 'mfa');
$radiusMaxTries = $settingModel->GetValueByName('radiusMaxTries', 'mfa');
if (!function_exists('radius_auth_open')) {
throw new Zend_Exception('RADIUS is not enabled on the server');
}
$this->getLogger()->debug('Midas Server RADIUS trying to authenticate user: '******'Cannot connect to the RADIUS server: ' . radius_strerror($rh));
}
if (!radius_create_request($rh, RADIUS_ACCESS_REQUEST)) {
throw new Zend_Exception('Cannot process requests to RADIUS server: ' . radius_strerror($rh));
}
/* this is the key parameter */
radius_put_attr($rh, RADIUS_USER_NAME, $otpDevice->getSecret());
/* this is the one time pin + 6-digit hard token or 8 digit smart token */
radius_put_attr($rh, RADIUS_USER_PASSWORD, $token);
switch (radius_send_request($rh)) {
case RADIUS_ACCESS_ACCEPT:
$this->getLogger()->debug('Midas Server RADIUS successful authentication ' . 'for ' . $otpDevice->getSecret());
return true;
case RADIUS_ACCESS_REJECT:
$this->getLogger()->info('Midas Server RADIUS failed authentication for ' . $otpDevice->getSecret());
return false;
case RADIUS_ACCESS_CHALLENGE:
$this->getLogger()->info('Midas Server RADIUS challenge requested for ' . $otpDevice->getSecret());
return false;
default:
$this->getLogger()->info('Midas Server RADIUS error during authentication ' . 'for ' . $otpDevice->getSecret() . ' with Token: ' . $token . '. Error: ' . radius_strerror($rh));
throw new Zend_Exception('Error during RADIUS authentication: ' . radius_strerror($rh));
}
}
