function radiusAuthGetAttributes(&$r_obj) { while ($attrib = radius_get_attr($r_obj->res)) { if (!is_array($attrib)) { return false; } $attr = $attrib['attr']; $data = $attrib['data']; $r_obj->rawAttributes[] = array("attr" => $attr, "data" => $data); switch ($attr) { case RADIUS_VENDOR_SPECIFIC: $vavp = radius_get_vendor_attr($data); if ($vavp['vendor'] == RADIUS_SER_VENDOR) { if ($vavp['attr'] == RADIUS_SER_UID) { $r_obj->attributes['ser-attrs']['uid'] = $vavp['data']; } } break; } } return true; }
throw new Exception('Problem occurred when creating the Radius request: ' . radius_strerror($radius)); } radius_put_attr($radius, RADIUS_USER_NAME, $_POST['username']); radius_put_attr($radius, RADIUS_USER_PASSWORD, $_POST['password']); switch (radius_send_request($radius)) { case RADIUS_ACCESS_ACCEPT: // GOOD Login :) $attributes = array($config->getValue('auth.radius.URNForUsername') => array($_POST['username'])); // get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA while ($resa = radius_get_attr($radius)) { if (!is_array($resa)) { printf("Error getting attribute: %s\n", radius_strerror($res)); exit; } if ($resa['attr'] == RADIUS_VENDOR_SPECIFIC) { $resv = radius_get_vendor_attr($resa['data']); if (is_array($resv)) { $vendor = $resv['vendor']; $attrv = $resv['attr']; $datav = $resv['data']; /** * Uncomment this to debug vendor attributes. */ // printf("Got Vendor Attr:%d %d Bytes %s<br/>", $attrv, strlen($datav), bin2hex($datav)); if ($vendor == $config->getValue('auth.radius.vendor') && $attrv == $config->getValue('auth.radius.vendor-attr')) { $attrib_name = strtok($datav, '='); $attrib_value = strtok('='); // if the attribute name is already in result set, add another value if (array_key_exists($attrib_name, $attributes)) { $attributes[$attrib_name][] = $attrib_value; } else {
/** * Attempt to log in using the given username and password. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the user's attributes. */ protected function login($username, $password) { assert('is_string($username)'); assert('is_string($password)'); $radius = radius_auth_open(); /* Try to add all radius servers, trigger a failure if no one works. */ $success = false; foreach ($this->servers as $server) { if (!isset($server['port'])) { $server['port'] = 1812; } if (!radius_add_server($radius, $server['hostname'], $server['port'], $server['secret'], $this->timeout, $this->retries)) { SimpleSAML\Logger::info("Could not add radius server: " . radius_strerror($radius)); continue; } $success = true; } if (!$success) { throw new Exception('Error adding radius servers, no servers available'); } if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { throw new Exception('Error creating radius request: ' . radius_strerror($radius)); } if ($this->realm === null) { radius_put_attr($radius, RADIUS_USER_NAME, $username); } else { radius_put_attr($radius, RADIUS_USER_NAME, $username . '@' . $this->realm); } radius_put_attr($radius, RADIUS_USER_PASSWORD, $password); if ($this->nasIdentifier !== null) { radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier); } $res = radius_send_request($radius); if ($res != RADIUS_ACCESS_ACCEPT) { switch ($res) { case RADIUS_ACCESS_REJECT: /* Invalid username or password. */ throw new SimpleSAML_Error_Error('WRONGUSERPASS'); case RADIUS_ACCESS_CHALLENGE: throw new Exception('Radius authentication error: Challenge requested, but not supported.'); default: throw new Exception('Error during radius authentication: ' . radius_strerror($radius)); } } /* If we get this far, we have a valid login. */ $attributes = array(); if ($this->usernameAttribute !== null) { $attributes[$this->usernameAttribute] = array($username); } if ($this->vendor === null) { /* * We aren't interested in any vendor-specific attributes. We are * therefore done now. */ return $attributes; } /* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */ while ($resa = radius_get_attr($radius)) { if (!is_array($resa)) { throw new Exception('Error getting radius attributes: ' . radius_strerror($radius)); } /* Use the received user name */ if ($resa['attr'] == RADIUS_USER_NAME) { $attributes[$this->usernameAttribute] = array($resa['data']); continue; } if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) { continue; } $resv = radius_get_vendor_attr($resa['data']); if (!is_array($resv)) { throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius)); } $vendor = $resv['vendor']; $attrv = $resv['attr']; $datav = $resv['data']; if ($vendor != $this->vendor || $attrv != $this->vendorType) { continue; } $attrib_name = strtok($datav, '='); $attrib_value = strtok('='); /* if the attribute name is already in result set, add another value */ if (array_key_exists($attrib_name, $attributes)) { $attributes[$attrib_name][] = $attrib_value; } else { $attributes[$attrib_name] = array($attrib_value); } } /* end of contribution */ return $attributes; }
/** * Reads all received attributes after sending the request. * * This methods stores known attributes in the property attributes, * all attributes (including known attibutes) are stored in rawAttributes * or rawVendorAttributes. * NOTE: call this function also even if the request was rejected, because the * Server returns usualy an errormessage * * @access public * @return bool true on success, false on error */ function getAttributes() { while ($attrib = radius_get_attr($this->res)) { if (!is_array($attrib)) { return false; } $attr = $attrib['attr']; $data = $attrib['data']; $this->rawAttributes[$attr] = $data; switch ($attr) { case RADIUS_FRAMED_IP_ADDRESS: $this->attributes['framed_ip'] = radius_cvt_addr($data); break; case RADIUS_FRAMED_IP_NETMASK: $this->attributes['framed_mask'] = radius_cvt_addr($data); break; case RADIUS_FRAMED_MTU: $this->attributes['framed_mtu'] = radius_cvt_int($data); break; case RADIUS_FRAMED_COMPRESSION: $this->attributes['framed_compression'] = radius_cvt_int($data); break; case RADIUS_SESSION_TIMEOUT: $this->attributes['session_timeout'] = radius_cvt_int($data); break; case RADIUS_IDLE_TIMEOUT: $this->attributes['idle_timeout'] = radius_cvt_int($data); break; case RADIUS_SERVICE_TYPE: $this->attributes['service_type'] = radius_cvt_int($data); break; case RADIUS_CLASS: $this->attributes['class'] = radius_cvt_string($data); break; case RADIUS_FRAMED_PROTOCOL: $this->attributes['framed_protocol'] = radius_cvt_int($data); break; case RADIUS_FRAMED_ROUTING: $this->attributes['framed_routing'] = radius_cvt_int($data); break; case RADIUS_FILTER_ID: $this->attributes['filter_id'] = radius_cvt_string($data); break; case RADIUS_REPLY_MESSAGE: $this->attributes['reply_message'] = radius_cvt_string($data); break; case RADIUS_VENDOR_SPECIFIC: $attribv = radius_get_vendor_attr($data); if (!is_array($attribv)) { return false; } $vendor = $attribv['vendor']; $attrv = $attribv['attr']; $datav = $attribv['data']; $this->rawVendorAttributes[$vendor][$attrv] = $datav; if ($vendor == RADIUS_VENDOR_MICROSOFT) { switch ($attrv) { case RADIUS_MICROSOFT_MS_CHAP2_SUCCESS: $this->attributes['ms_chap2_success'] = radius_cvt_string($datav); break; case RADIUS_MICROSOFT_MS_CHAP_ERROR: $this->attributes['ms_chap_error'] = radius_cvt_string(substr($datav, 1)); break; case RADIUS_MICROSOFT_MS_CHAP_DOMAIN: $this->attributes['ms_chap_domain'] = radius_cvt_string($datav); break; case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY: $this->attributes['ms_mppe_encryption_policy'] = radius_cvt_int($datav); break; case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES: $this->attributes['ms_mppe_encryption_types'] = radius_cvt_int($datav); break; case RADIUS_MICROSOFT_MS_CHAP_MPPE_KEYS: $demangled = radius_demangle($this->res, $datav); $this->attributes['ms_chap_mppe_lm_key'] = substr($demangled, 0, 8); $this->attributes['ms_chap_mppe_nt_key'] = substr($demangled, 8, RADIUS_MPPE_KEY_LEN); break; case RADIUS_MICROSOFT_MS_MPPE_SEND_KEY: $this->attributes['ms_chap_mppe_send_key'] = radius_demangle_mppe_key($this->res, $datav); break; case RADIUS_MICROSOFT_MS_MPPE_RECV_KEY: $this->attributes['ms_chap_mppe_recv_key'] = radius_demangle_mppe_key($this->res, $datav); break; case RADIUS_MICROSOFT_MS_PRIMARY_DNS_SERVER: $this->attributes['ms_primary_dns_server'] = radius_cvt_string($datav); break; } } break; } } return true; }
break; case RADIUS_FRAMED_PROTOCOL: $proto = radius_cvt_int($data); echo "Protocol: {$proto}<br>\n"; break; case RADIUS_FRAMED_ROUTING: $rout = radius_cvt_int($data); echo "Routing: {$rout}<br>\n"; break; case RADIUS_FILTER_ID: $id = radius_cvt_string($data); echo "Filter ID: {$id}<br>\n"; break; case RADIUS_VENDOR_SPECIFIC: //printf ("Vendor specific (%d)<br>\n", $attr); $resv = radius_get_vendor_attr($data); if (is_array($resv)) { $vendor = $resv['vendor']; $attrv = $resv['attr']; $datav = $resv['data']; if ($vendor == RADIUS_VENDOR_MICROSOFT) { switch ($attrv) { case RADIUS_MICROSOFT_MS_CHAP2_SUCCESS: $mschap2resp = radius_cvt_string($datav); printf("MS CHAPv2 success: %s<br>\n", $mschap2resp); break; case RADIUS_MICROSOFT_MS_CHAP_ERROR: $errormsg = radius_cvt_string(substr($datav, 1)); echo "MS CHAP Error: {$errormsg}<br>\n"; break; case RADIUS_MICROSOFT_MS_CHAP_DOMAIN:
/** * Attempt to log in using the given username and password. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the users attributes. */ protected function login($username, $password) { assert('is_string($username)'); assert('is_string($password)'); $radius = radius_auth_open(); if (!radius_add_server($radius, $this->hostname, $this->port, $this->secret, $this->timeout, $this->retries)) { throw new Exception('Error connecting to radius server: ' . radius_strerror($radius)); } if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { throw new Exception('Error creating radius request: ' . radius_strerror($radius)); } radius_put_attr($radius, RADIUS_USER_NAME, $username); radius_put_attr($radius, RADIUS_USER_PASSWORD, $password); if ($this->nasIdentifier != NULL) { radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier); } $res = radius_send_request($radius); if ($res != RADIUS_ACCESS_ACCEPT) { switch ($res) { case RADIUS_ACCESS_REJECT: /* Invalid username or password. */ throw new SimpleSAML_Error_Error('WRONGUSERPASS'); case RADIUS_ACCESS_CHALLENGE: throw new Exception('Radius authentication error: Challenge requested, but not supported.'); default: throw new Exception('Error during radius authentication: ' . radius_strerror($radius)); } } /* If we get this far, we have a valid login. */ $attributes = array(); if ($this->usernameAttribute !== NULL) { $attributes[$this->usernameAttribute] = array($username); } if ($this->vendor === NULL) { /* * We aren't interrested in any vendor-specific attributes. We are * therefore done now. */ return $attributes; } /* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */ while ($resa = radius_get_attr($radius)) { if (!is_array($resa)) { throw new Exception('Error getting radius attributes: ' . radius_strerror($radius)); } if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) { continue; } $resv = radius_get_vendor_attr($resa['data']); if (!is_array($resv)) { throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius)); } $vendor = $resv['vendor']; $attrv = $resv['attr']; $datav = $resv['data']; /* * Uncomment this to debug vendor attributes. */ //printf("Got Vendor Attr:%d %d Bytes %s<br/>", $attrv, strlen($datav), bin2hex($datav)); if ($vendor != $this->vendor || $attrv != $this->vendorType) { continue; } $attrib_name = strtok($datav, '='); $attrib_value = strtok('='); /* if the attribute name is already in result set, add another value */ if (array_key_exists($attrib_name, $attributes)) { $attributes[$attrib_name][] = $attrib_value; } else { $attributes[$attrib_name] = array($attrib_value); } } /* end of contribution */ return $attributes; }