function login($username, $password) { $radius = radius_auth_open(); if (!radius_add_server($radius, RADIUS_HOST, RADIUS_PORT, RADIUS_SECRET, RADIUS_TIMEOUT, RADIUS_MAXTRIES)) { die('Radius Error: ' . radius_strerror($radius)); } if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { die('Radius Error: ' . radius_strerror($radius)); } radius_put_attr($radius, RADIUS_USER_NAME, $username); radius_put_attr($radius, RADIUS_USER_PASSWORD, $password); radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, RADIUS_IDENTIFIER); $response = radius_send_request($radius); if ($response == RADIUS_ACCESS_ACCEPT) { $_SESSION['loggedin'] = $username; $_SESSION['userlevel'] = RADIUS_USERLEVEL; //User level set in settings.php return true; } else { if ($response == RADIUS_ACCESS_CHALLENGE) { //Challenge return false; } } return false; }
} $relaystate = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']); if (isset($_POST['username'])) { try { $radius = radius_auth_open(); // ( resource $radius_handle, string $hostname, int $port, string $secret, int $timeout, int $max_tries ) if (!radius_add_server($radius, $config->getValue('auth.radius.hostname'), $config->getValue('auth.radius.port'), $config->getValue('auth.radius.secret'), 5, 3)) { SimpleSAML_Logger::critical('AUTH - radius: Problem occurred when connecting to Radius server: ' . radius_strerror($radius)); throw new Exception('Problem occurred when connecting to Radius server: ' . radius_strerror($radius)); } if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { SimpleSAML_Logger::critical('AUTH - radius: Problem occurred when creating the Radius request: ' . radius_strerror($radius)); throw new Exception('Problem occurred when creating the Radius request: ' . radius_strerror($radius)); } radius_put_attr($radius, RADIUS_USER_NAME, $_POST['username']); radius_put_attr($radius, RADIUS_USER_PASSWORD, $_POST['password']); switch (radius_send_request($radius)) { case RADIUS_ACCESS_ACCEPT: // GOOD Login :) $attributes = array($config->getValue('auth.radius.URNForUsername') => array($_POST['username'])); // get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA while ($resa = radius_get_attr($radius)) { if (!is_array($resa)) { printf("Error getting attribute: %s\n", radius_strerror($res)); exit; } if ($resa['attr'] == RADIUS_VENDOR_SPECIFIC) { $resv = radius_get_vendor_attr($resa['data']); if (is_array($resv)) { $vendor = $resv['vendor']; $attrv = $resv['attr'];
public function prepareRequest($res, $login, $pass, $seed) { if (!radius_add_server($res, $this->radiusServer, $this->radiusPort, $this->radiusSecret, 3, 3)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not add server (" . radius_strerror($res) . ")"); return false; } if (!radius_create_request($res, RADIUS_ACCESS_REQUEST)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not create request (" . radius_strerror($res) . ")"); return false; } if (!radius_put_string($res, RADIUS_NAS_IDENTIFIER, isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : 'localhost')) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for nas_identifier (" . radius_strerror($res) . ")"); return false; } if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for service_type (" . radius_strerror($res) . ")"); return false; } if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for framed_protocol (" . radius_strerror($res) . ")"); return false; } if (!radius_put_string($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1') == -1) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for calling_station_id (" . radius_strerror($res) . ")"); return false; } if (!radius_put_string($res, RADIUS_USER_NAME, $login)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for user name (" . radius_strerror($res) . ")"); return false; } if ($this->radiusAuthType == 'chap') { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Using CHAP."); mt_srand(time()); $chall = mt_rand(); $chapval = pack('H*', md5(pack('Ca*', 1, $pass . $chall))); $pass = pack('C', 1) . $chapval; if (!radius_put_attr($res, RADIUS_CHAP_PASSWORD, $pass)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put attribute for chap password (" . radius_strerror($res) . ")"); return false; } if (!radius_put_attr($res, RADIUS_CHAP_CHALLENGE, $chall)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put attribute for chap callenge (" . radius_strerror($res) . ")"); return false; } } else { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Using PAP."); if (!radius_put_string($res, RADIUS_USER_PASSWORD, $pass)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for pap password (" . radius_strerror($res) . ")"); return false; } } if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for second service type (" . radius_strerror($res) . ")"); return false; } if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for second framed protocol (" . radius_strerror($res) . ")"); return false; } }
/** * Attempt to log in using the given username and password. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the user's attributes. */ protected function login($username, $password) { assert('is_string($username)'); assert('is_string($password)'); $radius = radius_auth_open(); /* Try to add all radius servers, trigger a failure if no one works. */ $success = false; foreach ($this->servers as $server) { if (!isset($server['port'])) { $server['port'] = 1812; } if (!radius_add_server($radius, $server['hostname'], $server['port'], $server['secret'], $this->timeout, $this->retries)) { SimpleSAML\Logger::info("Could not add radius server: " . radius_strerror($radius)); continue; } $success = true; } if (!$success) { throw new Exception('Error adding radius servers, no servers available'); } if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { throw new Exception('Error creating radius request: ' . radius_strerror($radius)); } if ($this->realm === null) { radius_put_attr($radius, RADIUS_USER_NAME, $username); } else { radius_put_attr($radius, RADIUS_USER_NAME, $username . '@' . $this->realm); } radius_put_attr($radius, RADIUS_USER_PASSWORD, $password); if ($this->nasIdentifier !== null) { radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier); } $res = radius_send_request($radius); if ($res != RADIUS_ACCESS_ACCEPT) { switch ($res) { case RADIUS_ACCESS_REJECT: /* Invalid username or password. */ throw new SimpleSAML_Error_Error('WRONGUSERPASS'); case RADIUS_ACCESS_CHALLENGE: throw new Exception('Radius authentication error: Challenge requested, but not supported.'); default: throw new Exception('Error during radius authentication: ' . radius_strerror($radius)); } } /* If we get this far, we have a valid login. */ $attributes = array(); if ($this->usernameAttribute !== null) { $attributes[$this->usernameAttribute] = array($username); } if ($this->vendor === null) { /* * We aren't interested in any vendor-specific attributes. We are * therefore done now. */ return $attributes; } /* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */ while ($resa = radius_get_attr($radius)) { if (!is_array($resa)) { throw new Exception('Error getting radius attributes: ' . radius_strerror($radius)); } /* Use the received user name */ if ($resa['attr'] == RADIUS_USER_NAME) { $attributes[$this->usernameAttribute] = array($resa['data']); continue; } if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) { continue; } $resv = radius_get_vendor_attr($resa['data']); if (!is_array($resv)) { throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius)); } $vendor = $resv['vendor']; $attrv = $resv['attr']; $datav = $resv['data']; if ($vendor != $this->vendor || $attrv != $this->vendorType) { continue; } $attrib_name = strtok($datav, '='); $attrib_value = strtok('='); /* if the attribute name is already in result set, add another value */ if (array_key_exists($attrib_name, $attributes)) { $attributes[$attrib_name][] = $attrib_value; } else { $attributes[$attrib_name] = array($attrib_value); } } /* end of contribution */ return $attributes; }
/** * Puts an attribute. * * @access public * @param integer $attrib Attribute-number * @param mixed $port Attribute-value * @param type $type Attribute-type * @return bool true on success, false on error */ function putAttribute($attrib, $value, $type = null) { if ($type == null) { $type = gettype($value); } switch ($type) { case 'integer': case 'double': return radius_put_int($this->res, $attrib, $value); case 'addr': return radius_put_addr($this->res, $attrib, $value); case 'string': default: return radius_put_attr($this->res, $attrib, $value); } }
/** * Validate login credentials * * @param string $uname - The user name requesting access * @param string $pass - Password to use (usually plain text) * @param pointer &$newvals - pointer to array to accept other data read from database * @param boolean $connect_only - TRUE to simply connect to the server * * @return integer result (AUTH_xxxx) * * On a successful login, &$newvals array is filled with the requested data from the server */ function login($uname, $pass, &$newvals, $connect_only = FALSE) { // Create authentification request if (!radius_create_request($this->connection, RADIUS_ACCESS_REQUEST)) { $this->makeErrorText('RADIUS failed authentification request: '); return AUTH_NOCONNECT; } if (trim($pass) == '') { return AUTH_BADPASSWORD; } // Pick up a blank password - always expect one // Attach username and password if (!radius_put_attr($this->connection, RADIUS_USER_NAME, $uname) || !radius_put_attr($this->connection, RADIUS_USER_PASSWORD, $pass)) { $this->makeErrorText('RADIUS could not attach username/password: '******'CHAP not supported'); return AUTH_NOUSER; case RADIUS_ACCESS_REJECT: // Specifically rejected // Specifically rejected default: // Catch-all $this->makeErrorText('RADIUS validation error: '); return AUTH_NOUSER; } // User accepted here. if ($connect_only) { return AUTH_SUCCESS; } return AUTH_SUCCESS; // Not interested in any attributes returned ATM, so done. // See if we get any attributes - not really any use to us unless we implement CHAP, so disabled ATM $attribs = array(); while ($resa = radius_get_attr($this->connection)) { if (!is_array($resa)) { $this->makeErrorText("Error getting attribute: "); exit; } // Decode attribute according to type (this isn't an exhaustive list) // Codes: 2, 3, 4, 5, 30, 31, 32, 60, 61 should never be received by us // Codes 17, 21 not assigned switch ($resa['attr']) { case 8: // IP address to be set (255.255.255.254 indicates 'allocate your own address') // IP address to be set (255.255.255.254 indicates 'allocate your own address') case 9: // Subnet mask // Subnet mask case 14: // Login-IP host $attribs[$resa['attr']] = radius_cvt_addr($resa['data']); break; case 6: // Service type (integer bitmap) // Service type (integer bitmap) case 7: // Protocol (integer bitmap) // Protocol (integer bitmap) case 10: // Routing method (integer) // Routing method (integer) case 12: // Framed MTU // Framed MTU case 13: // Compression method // Compression method case 15: // Login service (bitmap) // Login service (bitmap) case 16: // Login TCP port // Login TCP port case 23: // Framed IPX network (0xFFFFFFFE indicates 'allocate your own') // Framed IPX network (0xFFFFFFFE indicates 'allocate your own') case 27: // Session timeout - maximum connection/login time in seconds // Session timeout - maximum connection/login time in seconds case 28: // Idle timeout in seconds // Idle timeout in seconds case 29: // Termination action // Termination action case 37: // AppleTalk link number // AppleTalk link number case 38: // AppleTalk network // AppleTalk network case 62: // Max ports // Max ports case 63: // Login LAT port $attribs[$resa['attr']] = radius_cvt_int($resa['data']); break; case 1: // User name // User name case 11: // Filter ID - could get several of these // Filter ID - could get several of these case 18: // Reply message (text, various purposes) // Reply message (text, various purposes) case 19: // Callback number // Callback number case 20: // Callback ID // Callback ID case 22: // Framed route - could get several of these // Framed route - could get several of these case 24: // State - used in CHAP // State - used in CHAP case 25: // Class // Class case 26: // Vendor-specific // Vendor-specific case 33: // Proxy State // Proxy State case 34: // Login LAT service // Login LAT service case 35: // Login LAT node // Login LAT node case 36: // Login LAT group // Login LAT group case 39: // AppleTalk zone // AppleTalk zone default: $attribs[$resa['attr']] = radius_cvt_string($resa['data']); // Default to string type } printf("Got Attr: %d => %d Bytes %s\n", $resa['attr'], strlen($attribs[$resa['attr']]), $attribs[$resa['attr']]); } return AUTH_SUCCESS; }
/** * Find out if a set of login credentials are valid. * * @param string $username The userId to check. * @param array $credentials An array of login credentials. * For radius, this must contain a password * entry. * * @throws Horde_Auth_Exception */ protected function _authenticate($username, $credentials) { /* Password is required. */ if (!isset($credentials['password'])) { throw new Horde_Auth_Exception('Password required for RADIUS authentication.'); } $res = radius_auth_open(); radius_add_server($res, $this->_params['host'], $this->_params['port'], $this->_params['secret'], $this->_params['timeout'], $this->_params['retries']); radius_create_request($res, RADIUS_ACCESS_REQUEST); radius_put_attr($res, RADIUS_NAS_IDENTIFIER, $this->_params['nas']); radius_put_attr($res, RADIUS_NAS_PORT_TYPE, RADIUS_VIRTUAL); radius_put_attr($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED); radius_put_attr($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP); radius_put_attr($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : '127.0.0.1'); /* Insert username/password into request. */ radius_put_attr($res, RADIUS_USER_NAME, $username); radius_put_attr($res, RADIUS_USER_PASSWORD, $credentials['password']); /* Send request. */ $success = radius_send_request($res); switch ($success) { case RADIUS_ACCESS_ACCEPT: break; case RADIUS_ACCESS_REJECT: throw new Horde_Auth_Exception('Authentication rejected by RADIUS server.'); default: throw new Horde_Auth_Exception(radius_strerror($res)); } }
} if ($auth_type == 'chap') { echo "CHAP<br>\n"; /* generate Challenge */ mt_srand(time()); $chall = mt_rand(); // FYI: CHAP = md5(ident + plaintextpass + challenge) $chapval = pack('H*', md5(pack('Ca*', 1, $password . $chall))); // $chapval = md5(pack('Ca*',1 , $password . $chall)); // Radius wants the CHAP Ident in the first byte of the CHAP-Password $pass = pack('C', 1) . $chapval; if (!radius_put_attr($res, RADIUS_CHAP_PASSWORD, $pass)) { echo 'RadiusError: RADIUS_CHAP_PASSWORD:'******'RadiusError: RADIUS_CHAP_CHALLENGE:' . radius_strerror($res) . "<br>\n"; exit; } } else { if ($auth_type == 'mschapv1') { echo "MS-CHAPv1<br>\n"; include_once 'mschap.php'; $challenge = GenerateChallenge(); printf("Challenge:%s\n", bin2hex($challenge)); if (!radius_put_vendor_attr($res, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge)) { echo 'RadiusError: RADIUS_MICROSOFT_MS_CHAP_CHALLENGE:' . radius_strerror($res) . "<br>\n"; exit; } $ntresp = ChallengeResponse($challenge, NtPasswordHash($password)); $lmresp = str_repeat("", 24);
/** * Attempt to log in using the given username and password. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the users attributes. */ protected function login($username, $password) { assert('is_string($username)'); assert('is_string($password)'); $radius = radius_auth_open(); if (!radius_add_server($radius, $this->hostname, $this->port, $this->secret, $this->timeout, $this->retries)) { throw new Exception('Error connecting to radius server: ' . radius_strerror($radius)); } if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { throw new Exception('Error creating radius request: ' . radius_strerror($radius)); } radius_put_attr($radius, RADIUS_USER_NAME, $username); radius_put_attr($radius, RADIUS_USER_PASSWORD, $password); if ($this->nasIdentifier != NULL) { radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier); } $res = radius_send_request($radius); if ($res != RADIUS_ACCESS_ACCEPT) { switch ($res) { case RADIUS_ACCESS_REJECT: /* Invalid username or password. */ throw new SimpleSAML_Error_Error('WRONGUSERPASS'); case RADIUS_ACCESS_CHALLENGE: throw new Exception('Radius authentication error: Challenge requested, but not supported.'); default: throw new Exception('Error during radius authentication: ' . radius_strerror($radius)); } } /* If we get this far, we have a valid login. */ $attributes = array(); if ($this->usernameAttribute !== NULL) { $attributes[$this->usernameAttribute] = array($username); } if ($this->vendor === NULL) { /* * We aren't interrested in any vendor-specific attributes. We are * therefore done now. */ return $attributes; } /* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */ while ($resa = radius_get_attr($radius)) { if (!is_array($resa)) { throw new Exception('Error getting radius attributes: ' . radius_strerror($radius)); } if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) { continue; } $resv = radius_get_vendor_attr($resa['data']); if (!is_array($resv)) { throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius)); } $vendor = $resv['vendor']; $attrv = $resv['attr']; $datav = $resv['data']; /* * Uncomment this to debug vendor attributes. */ //printf("Got Vendor Attr:%d %d Bytes %s<br/>", $attrv, strlen($datav), bin2hex($datav)); if ($vendor != $this->vendor || $attrv != $this->vendorType) { continue; } $attrib_name = strtok($datav, '='); $attrib_value = strtok('='); /* if the attribute name is already in result set, add another value */ if (array_key_exists($attrib_name, $attributes)) { $attributes[$attrib_name][] = $attrib_value; } else { $attributes[$attrib_name] = array($attrib_value); } } /* end of contribution */ return $attributes; }
/** * Authenticate the configured user * * @return Zend\Authentication\Result */ public function authenticate() { //Create RADIUS request radius_create_request($this->radius, RADIUS_ACCESS_REQUEST); if ($this->getUsername()) { radius_put_attr($this->radius, RADIUS_USER_NAME, $this->getUsername() . $this->getAuthenticationRealm()); } if ($this->getPassword()) { radius_put_attr($this->radius, RADIUS_USER_PASSWORD, $this->getPassword()); } //Send $result = radius_send_request($this->radius); switch ($result) { case RADIUS_ACCESS_ACCEPT: return new Authentication\Result(Authentication\Result::SUCCESS, $this->getUsername()); case RADIUS_ACCESS_REJECT: return new Authentication\Result(Authentication\Result::FAILURE_CREDENTIAL_INVALID, $this->getUsername(), array(radius_strerror($this->radius))); default: var_dump($result); # don't do this! return new Authentication\Result(Authentication\Result::FAILURE_UNCATEGORIZED, $this->getUsername(), array(radius_strerror($this->radius))); } }
/** * Check username and password against RADIUS authentication backend. * * @param string $username User name to check * @param string $password User password to check * @return int Authentication success (0 = fail, 1 = success) FIXME bool */ function radius_authenticate($username, $password) { global $config, $rad; radius_init(); if ($username && $rad) { //print_vars(radius_server_secret($rad)); radius_create_request($rad, RADIUS_ACCESS_REQUEST); radius_put_attr($rad, RADIUS_USER_NAME, $username); switch (strtolower($config['auth_radius_method'])) { // CHAP-MD5 see RFC1994 case 'chap': case 'chap_md5': $chapid = 1; // Specify a CHAP identifier //$challenge = mt_rand(); // Generate a challenge //$cresponse = md5(pack('Ca*', $chapid, $password.$challenge), TRUE); new Crypt_CHAP(); // Pre load class $crpt = new Crypt_CHAP_MD5(); $crpt->password = $password; $challenge = $crpt->challenge; $resp_md5 = $crpt->challengeResponse(); $resp = pack('C', $chapid) . $resp_md5; radius_put_attr($rad, RADIUS_CHAP_PASSWORD, $resp); // Add the Chap-Password attribute radius_put_attr($rad, RADIUS_CHAP_CHALLENGE, $challenge); // Add the Chap-Challenge attribute. break; // MS-CHAPv1 see RFC2433 // MS-CHAPv1 see RFC2433 case 'mschapv1': $chapid = 1; // Specify a CHAP identifier $flags = 1; // 0 = use LM-Response, 1 = use NT-Response (we not use old LM) new Crypt_CHAP(); // Pre load class $crpt = new Crypt_CHAP_MSv1(); $crpt->password = $password; $challenge = $crpt->challenge; $resp_lm = str_repeat("", 24); $resp_nt = $crpt->challengeResponse(); $resp = pack('CC', $chapid, $flags) . $resp_lm . $resp_nt; radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_RESPONSE, $resp); radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge); break; // MS-CHAPv2 see RFC2759 // MS-CHAPv2 see RFC2759 case 'mschapv2': $chapid = 1; // Specify a CHAP identifier $flags = 1; // 0 = use LM-Response, 1 = use NT-Response (we not use old LM) new Crypt_CHAP(); // Pre load class $crpt = new Crypt_CHAP_MSv2(); $crpt->username = $username; $crpt->password = $password; $challenge = $crpt->authChallenge; $challenge_p = $crpt->peerChallenge; $resp_nt = $crpt->challengeResponse(); // Response: chapid, flags (1 = use NT Response), Peer challenge, reserved, Response $resp = pack('CCa16a8a24', $chapid, $flags, $challenge_p, str_repeat("", 8), $resp_nt); radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP2_RESPONSE, $resp); radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge); break; // PAP (Plaintext) // PAP (Plaintext) default: radius_put_attr($rad, RADIUS_USER_PASSWORD, $password); } // Puts standard attributes $radius_ip = get_ip_version($config['auth_radius_nas_address']) ? $config['auth_radius_nas_address'] : $_SERVER['SERVER_ADDR']; if (get_ip_version($radius_ip) == 6) { // FIXME, not sure that this work correctly radius_put_attr($rad, RADIUS_NAS_IPV6_ADDRESS, $radius_ip); } else { radius_put_addr($rad, RADIUS_NAS_IP_ADDRESS, $radius_ip); } $radius_id = empty($config['auth_radius_id']) ? get_localhost() : $config['auth_radius_id']; radius_put_attr($rad, RADIUS_NAS_IDENTIFIER, $radius_id); //radius_put_attr($rad, RADIUS_NAS_PORT_TYPE, RADIUS_VIRTUAL); //radius_put_attr($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED); //radius_put_attr($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP); radius_put_attr($rad, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1'); $response = radius_send_request($rad); //print_vars($response); switch ($response) { case RADIUS_ACCESS_ACCEPT: // An Access-Accept response to an Access-Request indicating that the RADIUS server authenticated the user successfully. //echo 'Authentication successful'; return 1; break; case RADIUS_ACCESS_REJECT: // An Access-Reject response to an Access-Request indicating that the RADIUS server could not authenticate the user. //echo 'Authentication failed'; break; case RADIUS_ACCESS_CHALLENGE: // An Access-Challenge response to an Access-Request indicating that the RADIUS server requires further information // in another Access-Request before authenticating the user. //echo 'Challenge required'; break; default: print_error('A RADIUS error has occurred: ' . radius_strerror($rad)); } } //session_logout(); return 0; }
/** * Perform authentication using a RADIUS server. * * @param Mfa_OtpdeviceDao $otpDevice * @param Mfa_ApitokenDao $token * @throws Zend_Exception */ protected function _radiusauth($otpDevice, $token) { /** @var SettingModel $settingModel */ $settingModel = MidasLoader::loadModel('Setting'); $radiusserver = $settingModel->GetValueByName('radiusServer', 'mfa'); $radiusport = $settingModel->GetValueByName('radiusPort', 'mfa'); $radiuspw = $settingModel->GetValueByName('radiusPassword', 'mfa'); $radiusTimeout = $settingModel->GetValueByName('radiusTimeout', 'mfa'); $radiusMaxTries = $settingModel->GetValueByName('radiusMaxTries', 'mfa'); if (!function_exists('radius_auth_open')) { throw new Zend_Exception('RADIUS is not enabled on the server'); } $this->getLogger()->debug('Midas Server RADIUS trying to authenticate user: '******'Cannot connect to the RADIUS server: ' . radius_strerror($rh)); } if (!radius_create_request($rh, RADIUS_ACCESS_REQUEST)) { throw new Zend_Exception('Cannot process requests to RADIUS server: ' . radius_strerror($rh)); } /* this is the key parameter */ radius_put_attr($rh, RADIUS_USER_NAME, $otpDevice->getSecret()); /* this is the one time pin + 6-digit hard token or 8 digit smart token */ radius_put_attr($rh, RADIUS_USER_PASSWORD, $token); switch (radius_send_request($rh)) { case RADIUS_ACCESS_ACCEPT: $this->getLogger()->debug('Midas Server RADIUS successful authentication ' . 'for ' . $otpDevice->getSecret()); return true; case RADIUS_ACCESS_REJECT: $this->getLogger()->info('Midas Server RADIUS failed authentication for ' . $otpDevice->getSecret()); return false; case RADIUS_ACCESS_CHALLENGE: $this->getLogger()->info('Midas Server RADIUS challenge requested for ' . $otpDevice->getSecret()); return false; default: $this->getLogger()->info('Midas Server RADIUS error during authentication ' . 'for ' . $otpDevice->getSecret() . ' with Token: ' . $token . '. Error: ' . radius_strerror($rh)); throw new Zend_Exception('Error during RADIUS authentication: ' . radius_strerror($rh)); } }