exit; } // RADIUS_AUTH_RADIUS => authenticated via Radius // RADIUS_AUTH_LOCAL => authenicated local // RADIUS_AUTH_REMOTE => authenticated remote if (!radius_put_int($res, RADIUS_ACCT_AUTHENTIC, RADIUS_AUTH_LOCAL)) { echo 'RadiusError:' . radius_strerror($res) . "\n<br>"; exit; } sleep(3); // if RADIUS_ACCT_STATUS_TYPE == RADIUS_STOP if (!radius_put_int($res, RADIUS_ACCT_TERMINATE_CAUSE, RADIUS_TERM_USER_REQUEST)) { echo 'RadiusError2:' . radius_strerror($res) . "\n<br>"; exit; } if (!radius_put_int($res, RADIUS_ACCT_SESSION_TIME, time() - $starttime)) { echo 'RadiusError:' . radius_strerror($res) . "\n<br>"; exit; } // endif $req = radius_send_request($res); if (!$req) { echo 'RadiusError:' . radius_strerror($res) . "\n<br>"; exit; } switch ($req) { case RADIUS_ACCOUNTING_RESPONSE: echo "Radius Accounting response<br>\n"; break; default: echo "Unexpected return value:{$req}\n<br>";
/** * Autentica un usuario usando el adaptador * * @return boolean */ public function authenticate() { $radius = radius_auth_open(); if (!$radius) { throw new KumbiaException("No se pudo crear el autenticador de Radius"); } if (!radius_add_server($radius, $this->server, $this->port, $this->secret, $this->timeout, $this->max_retries)) { throw new KumbiaException(radius_strerror($radius)); } if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { throw new KumbiaException(radius_strerror($radius)); } if (!radius_put_string($radius, RADIUS_USER_NAME, $this->username)) { throw new KumbiaException(radius_strerror($radius)); } if (!radius_put_string($radius, RADIUS_USER_PASSWORD, $this->password)) { throw new KumbiaException(radius_strerror($radius)); } if (!radius_put_int($radius, RADIUS_AUTHENTICATE_ONLY, 1)) { throw new KumbiaException(radius_strerror($radius)); } $this->resource = $radius; if (radius_send_request($radius) == RADIUS_ACCESS_ACCEPT) { return true; } else { return false; } }
public function prepareRequest($res, $login, $pass, $seed) { if (!radius_add_server($res, $this->radiusServer, $this->radiusPort, $this->radiusSecret, 3, 3)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not add server (" . radius_strerror($res) . ")"); return false; } if (!radius_create_request($res, RADIUS_ACCESS_REQUEST)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not create request (" . radius_strerror($res) . ")"); return false; } if (!radius_put_string($res, RADIUS_NAS_IDENTIFIER, isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : 'localhost')) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for nas_identifier (" . radius_strerror($res) . ")"); return false; } if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for service_type (" . radius_strerror($res) . ")"); return false; } if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for framed_protocol (" . radius_strerror($res) . ")"); return false; } if (!radius_put_string($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1') == -1) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for calling_station_id (" . radius_strerror($res) . ")"); return false; } if (!radius_put_string($res, RADIUS_USER_NAME, $login)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for user name (" . radius_strerror($res) . ")"); return false; } if ($this->radiusAuthType == 'chap') { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Using CHAP."); mt_srand(time()); $chall = mt_rand(); $chapval = pack('H*', md5(pack('Ca*', 1, $pass . $chall))); $pass = pack('C', 1) . $chapval; if (!radius_put_attr($res, RADIUS_CHAP_PASSWORD, $pass)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put attribute for chap password (" . radius_strerror($res) . ")"); return false; } if (!radius_put_attr($res, RADIUS_CHAP_CHALLENGE, $chall)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put attribute for chap callenge (" . radius_strerror($res) . ")"); return false; } } else { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Using PAP."); if (!radius_put_string($res, RADIUS_USER_PASSWORD, $pass)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for pap password (" . radius_strerror($res) . ")"); return false; } } if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for second service type (" . radius_strerror($res) . ")"); return false; } if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) { AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for second framed protocol (" . radius_strerror($res) . ")"); return false; } }
/** * Puts an attribute. * * @access public * @param integer $attrib Attribute-number * @param mixed $port Attribute-value * @param type $type Attribute-type * @return bool true on success, false on error */ function putAttribute($attrib, $value, $type = null) { if ($type == null) { $type = gettype($value); } switch ($type) { case 'integer': case 'double': return radius_put_int($this->res, $attrib, $value); case 'addr': return radius_put_addr($this->res, $attrib, $value); case 'string': default: return radius_put_attr($this->res, $attrib, $value); } }
function authExternalUser($login, $password) { $res = radius_auth_open(); if (!radius_add_server($res, $this->config['radius_server'], $this->config['radius_port'], $this->config['sharedsecret'], 3, 3)) { debug('RadiusError:' . radius_strerror($res) . "\n", 'auth'); return false; } if (!radius_create_request($res, RADIUS_ACCESS_REQUEST)) { debug('RadiusError:' . radius_strerror($res) . "\n", 'auth'); return false; } if (!radius_put_string($res, RADIUS_NAS_IDENTIFIER, isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost')) { debug('RadiusError:' . radius_strerror($res) . "\n", 'auth'); return false; } if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { debug('RadiusError:' . radius_strerror($res) . "\n", 'auth'); return false; } if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) { debug('RadiusError:' . radius_strerror($res) . "\n", 'auth'); return false; } if (!radius_put_string($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : '127.0.0.1') == -1) { debug('RadiusError:' . radius_strerror($res) . "\n", 'auth'); return false; } if (!radius_put_string($res, RADIUS_USER_NAME, $login)) { debug('RadiusError:' . radius_strerror($res) . "\n", 'auth'); return false; } if ($password) { if (!radius_put_string($res, RADIUS_USER_PASSWORD, $password)) { debug('RadiusError:' . radius_strerror($res) . "\n", 'auth'); return false; } } if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { debug('RadiusError:' . radius_strerror($res) . "\n", 'auth'); return false; } if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) { debug('RadiusError:' . radius_strerror($res) . "\n", 'auth'); return false; } $req = radius_send_request($res); if (!$req) { debug('RadiusError:' . radius_strerror($res) . "\n", 'auth'); return false; } $user = false; switch ($req) { case RADIUS_ACCESS_ACCEPT: $userData = array(); $userData["name"] = $login; $userData["newpass1"] = '!'; $userData["newpass2"] = '!'; $user = $this->storeExternalUser($login, $userData); break; case RADIUS_ACCESS_REJECT: debug("RadiusError: Radius Request rejected\n", 'auth'); break; default: debug("RadiusError: Unknown answer\n", 'auth'); } return $user; }
/** * This is the main authentication function of the plugin. Given both the * username and password it will make use of the options set to authenticate * against the configured RADIUS servers. */ function checkLogin($user, $username, $password) { if (is_a($user, 'WP_User')) { return $user; } if (empty($username)) { return self::wp_error('empty_username', __('The username field is empty.')); } if (empty($password)) { return self::wp_error('empty_password', __('The password field is empty.')); } $opts = TwoFactorRadiusAuth::getOptions(); // skip radius for user if (@array_search($username, $opts['skip_users']) !== false) { return; } remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3); $userdata = get_user_by('login', $username); if (!$userdata) { return self::wp_error('invalid_username', __('Invalid username.')); } if (is_multisite()) { // Is user marked as spam? if (1 == $userdata->spam) { return self::wp_error('invalid_username', __('Your account has been marked as a spammer.')); } // Is a user's blog marked as spam? if (!is_super_admin($userdata->ID) && isset($userdata->primary_blog)) { $details = get_blog_details($userdata->primary_blog); if (is_object($details) && $details->spam == 1) { return self::wp_error('blog_suspended', __('Site Suspended.')); } } } $OTP = trim($_POST['otp']); $radiuspass = $password; if (!empty($OTP)) { $radiuspass = $password . $opts['pwd_otp_sep'] . $OTP; } if (!function_exists('radius_auth_open')) { return self::wp_error('missing_php_radius', 'Missing php-radius'); } if (!TwoFactorRadiusAuth::isConfigured()) { return self::wp_error('missing_plugin_settings', __('Missing auth server settings')); } $reply_message = ''; try { $rad = radius_auth_open(); if (!radius_add_server($rad, $opts['s1_host'], $opts['s1_port'], $opts['s1_secr'], $opts['timeout'], $opts['max_tries'])) { throw new Exception(radius_strerror($rad)); } if (!empty($opts['s2_host']) && !empty($opts['s2_port']) && !empty($opts['s2_secr'])) { if (!radius_add_server($rad, $opts['s2_host'], $opts['s2_port'], $opts['s2_secr'], $opts['timeout'], $opts['max_tries'])) { throw new Exception(radius_strerror($rad)); } } if (!radius_create_request($rad, RADIUS_ACCESS_REQUEST)) { throw new Exception(radius_strerror($rad)); } if (!radius_put_string($rad, RADIUS_NAS_IDENTIFIER, '1')) { throw new Exception(radius_strerror($rad)); } if (!radius_put_int($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { throw new Exception(radius_strerror($rad)); } if (!radius_put_int($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) { throw new Exception(radius_strerror($rad)); } $station = isset($REMOTE_HOST) ? $REMOTE_HOST : '127.0.0.1'; if (!radius_put_string($rad, RADIUS_CALLING_STATION_ID, $station) == -1) { throw new Exception(radius_strerror($rad)); } if (!radius_put_string($rad, RADIUS_USER_NAME, $username)) { throw new Exception(radius_strerror($rad)); } if (!radius_put_string($rad, RADIUS_USER_PASSWORD, $radiuspass)) { throw new Exception(radius_strerror($rad)); } if (!radius_put_int($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { throw new Exception(radius_strerror($rad)); } if (!radius_put_int($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) { throw new Exception(radius_strerror($rad)); } $res = radius_send_request($rad); if (!$res) { throw new Exception(radius_strerror($rad)); } while ($rattr = radius_get_attr($rad)) { if ($rattr['attr'] == 18) { $reply_message = $rattr['data']; break; } } } catch (Exception $exp) { return self::wp_error('radius_error', $exp->getMessage()); } switch ($res) { case RADIUS_ACCESS_ACCEPT: $userdata->user_pass = wp_hash_password($password); return new WP_User($userdata->ID); break; case RADIUS_ACCESS_REJECT: switch ($reply_message) { case 'LDAP USER NOT FOUND': if ($opts['use_wp_auth'] == 'on') { add_filter('authenticate', 'wp_authenticate_username_password', 10, 3); return null; } else { return self::wp_error('invalid_username', __('Unknown user')); } case 'INVALID OTP': default: return self::wp_error('incorrect_password', __('Wrong password/OTP')); } break; default: return self::wp_error('denied', __('Unknown error')); } }
exit; } } else { echo "PAP<br>\n"; if (!radius_put_string($res, RADIUS_USER_PASSWORD, "sepp")) { echo 'RadiusError:' . radius_strerror($res) . "<br>\n"; exit; } } } } if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) { echo 'RadiusError:' . radius_strerror($res) . "\n<br>"; exit; } if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) { echo 'RadiusError:' . radius_strerror($res) . "\n<br>"; exit; } $req = radius_send_request($res); if (!$req) { echo 'RadiusError:' . radius_strerror($res) . "\n<br>"; exit; } switch ($req) { case RADIUS_ACCESS_ACCEPT: echo "Radius Request accepted<br>\n"; break; case RADIUS_ACCESS_REJECT: echo "Radius Request rejected<br>\n"; break;
/** * authenticate user against radius * @param $username username to authenticate * @param $password user password * @return bool authentication status */ public function authenticate($username, $password) { $this->lastAuthProperties = array(); // reset auth properties $radius = radius_auth_open(); $error = null; if (!radius_add_server($radius, $this->radiusHost, $this->authPort, $this->sharedSecret, $this->timeout, $this->maxRetries)) { $error = radius_strerror($radius); } elseif (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { $error = radius_strerror($radius); } elseif (!radius_put_string($radius, RADIUS_USER_NAME, $username)) { $error = radius_strerror($radius); } elseif (!radius_put_int($radius, RADIUS_SERVICE_TYPE, RADIUS_LOGIN)) { $error = radius_strerror($radius); } elseif (!radius_put_int($radius, RADIUS_FRAMED_PROTOCOL, RADIUS_ETHERNET)) { $error = radius_strerror($radius); } elseif (!radius_put_string($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier)) { $error = radius_strerror($radius); } elseif (!radius_put_int($radius, RADIUS_NAS_PORT, 0)) { $error = radius_strerror($radius); } elseif (!radius_put_int($radius, RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET)) { $error = radius_strerror($radius); } else { // Implement extra protocols in this section. switch ($this->protocol) { case 'PAP': // do PAP authentication if (!radius_put_string($radius, RADIUS_USER_PASSWORD, $password)) { $error = radius_strerror($radius); } break; default: syslog(LOG_ERR, 'Unsupported protocol ' . $this->protocol); return false; } } // log errors and perform actual authentication request if ($error != null) { syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error)); } else { $request = radius_send_request($radius); if (!$radius) { syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error)); } else { switch ($request) { case RADIUS_ACCESS_ACCEPT: while ($resa = radius_get_attr($radius)) { switch ($resa['attr']) { case RADIUS_SESSION_TIMEOUT: $this->lastAuthProperties['session_timeout'] = radius_cvt_int($resa['data']); break; case 85: // Acct-Interim-Interval $this->lastAuthProperties['Acct-Interim-Interval'] = radius_cvt_int($resa['data']); break; default: break; } } return true; break; case RADIUS_ACCESS_REJECT: return false; break; default: // unexpected result, log syslog(LOG_ERR, 'Radius unexpected response:' . $request); } } } return false; }