private function _sendPOD($session)
{
$nas = $session[0]['nas'];
$username = $session[0]['login'];
$session_id = str_replace('sid_', '', $session[0]['id']);
$radport = 3799;
$sharedsecret = 'brascoa';
$res = radius_acct_open();
radius_add_server($res, $nas, $radport, $sharedsecret, 3, 1);
radius_create_request($res, RADIUS_DISCONNECT_REQUEST);
// radius_put_string($res, RADIUS_NAS_IP_ADDRESS, 0);
radius_put_string($res, RADIUS_USER_NAME, $username);
radius_put_string($res, RADIUS_ACCT_SESSION_ID, $session_id);
$reply = radius_send_request($res);
switch ($reply) {
case RADIUS_COA_ACK:
case RADIUS_DISCONNECT_ACK:
$result = "CoA-ACK\n";
break;
case RADIUS_COA_NAK:
case RADIUS_DISCONNECT_NAK:
$result = "CoA-NAK\n";
break;
default:
return "Unsupported reply\n";
}
while ($resa = radius_get_attr($res)) {
$data = $resa['data'];
$value = radius_cvt_int($data);
switch ($value) {
case 401:
$result = "Unsupported Attribute\n";
break;
case 402:
$result = "Missing Attribute\n";
break;
case 403:
$result = "NAS Identification mismatch [{$nas}]\n";
break;
case 404:
$result = "Invalid Request\n";
break;
case 503:
$result = "Session context not found\n";
break;
case 506:
$result = "Resources unavailable\n";
break;
default:
$result = "Unsupported Error-Cause\n";
}
}
radius_close($res);
return $result;
}
/**
* Reads all received attributes after sending the request.
*
* This methods stores known attributes in the property attributes,
* all attributes (including known attibutes) are stored in rawAttributes
* or rawVendorAttributes.
* NOTE: call this function also even if the request was rejected, because the
* Server returns usualy an errormessage
*
* @access public
* @return bool true on success, false on error
*/
function getAttributes()
{
while ($attrib = radius_get_attr($this->res)) {
if (!is_array($attrib)) {
return false;
}
$attr = $attrib['attr'];
$data = $attrib['data'];
$this->rawAttributes[$attr] = $data;
switch ($attr) {
case RADIUS_FRAMED_IP_ADDRESS:
$this->attributes['framed_ip'] = radius_cvt_addr($data);
break;
case RADIUS_FRAMED_IP_NETMASK:
$this->attributes['framed_mask'] = radius_cvt_addr($data);
break;
case RADIUS_FRAMED_MTU:
$this->attributes['framed_mtu'] = radius_cvt_int($data);
break;
case RADIUS_FRAMED_COMPRESSION:
$this->attributes['framed_compression'] = radius_cvt_int($data);
break;
case RADIUS_SESSION_TIMEOUT:
$this->attributes['session_timeout'] = radius_cvt_int($data);
break;
case RADIUS_IDLE_TIMEOUT:
$this->attributes['idle_timeout'] = radius_cvt_int($data);
break;
case RADIUS_SERVICE_TYPE:
$this->attributes['service_type'] = radius_cvt_int($data);
break;
case RADIUS_CLASS:
$this->attributes['class'] = radius_cvt_string($data);
break;
case RADIUS_FRAMED_PROTOCOL:
$this->attributes['framed_protocol'] = radius_cvt_int($data);
break;
case RADIUS_FRAMED_ROUTING:
$this->attributes['framed_routing'] = radius_cvt_int($data);
break;
case RADIUS_FILTER_ID:
$this->attributes['filter_id'] = radius_cvt_string($data);
break;
case RADIUS_REPLY_MESSAGE:
$this->attributes['reply_message'] = radius_cvt_string($data);
break;
case RADIUS_VENDOR_SPECIFIC:
$attribv = radius_get_vendor_attr($data);
if (!is_array($attribv)) {
return false;
}
$vendor = $attribv['vendor'];
$attrv = $attribv['attr'];
$datav = $attribv['data'];
$this->rawVendorAttributes[$vendor][$attrv] = $datav;
if ($vendor == RADIUS_VENDOR_MICROSOFT) {
switch ($attrv) {
case RADIUS_MICROSOFT_MS_CHAP2_SUCCESS:
$this->attributes['ms_chap2_success'] = radius_cvt_string($datav);
break;
case RADIUS_MICROSOFT_MS_CHAP_ERROR:
$this->attributes['ms_chap_error'] = radius_cvt_string(substr($datav, 1));
break;
case RADIUS_MICROSOFT_MS_CHAP_DOMAIN:
$this->attributes['ms_chap_domain'] = radius_cvt_string($datav);
break;
case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY:
$this->attributes['ms_mppe_encryption_policy'] = radius_cvt_int($datav);
break;
case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES:
$this->attributes['ms_mppe_encryption_types'] = radius_cvt_int($datav);
break;
case RADIUS_MICROSOFT_MS_CHAP_MPPE_KEYS:
$demangled = radius_demangle($this->res, $datav);
$this->attributes['ms_chap_mppe_lm_key'] = substr($demangled, 0, 8);
$this->attributes['ms_chap_mppe_nt_key'] = substr($demangled, 8, RADIUS_MPPE_KEY_LEN);
break;
case RADIUS_MICROSOFT_MS_MPPE_SEND_KEY:
$this->attributes['ms_chap_mppe_send_key'] = radius_demangle_mppe_key($this->res, $datav);
break;
case RADIUS_MICROSOFT_MS_MPPE_RECV_KEY:
$this->attributes['ms_chap_mppe_recv_key'] = radius_demangle_mppe_key($this->res, $datav);
break;
case RADIUS_MICROSOFT_MS_PRIMARY_DNS_SERVER:
$this->attributes['ms_primary_dns_server'] = radius_cvt_string($datav);
break;
}
}
break;
}
}
return true;
}
/**
* Validate login credentials
*
* @param string $uname - The user name requesting access
* @param string $pass - Password to use (usually plain text)
* @param pointer &$newvals - pointer to array to accept other data read from database
* @param boolean $connect_only - TRUE to simply connect to the server
*
* @return integer result (AUTH_xxxx)
*
* On a successful login, &$newvals array is filled with the requested data from the server
*/
function login($uname, $pass, &$newvals, $connect_only = FALSE)
{
// Create authentification request
if (!radius_create_request($this->connection, RADIUS_ACCESS_REQUEST)) {
$this->makeErrorText('RADIUS failed authentification request: ');
return AUTH_NOCONNECT;
}
if (trim($pass) == '') {
return AUTH_BADPASSWORD;
}
// Pick up a blank password - always expect one
// Attach username and password
if (!radius_put_attr($this->connection, RADIUS_USER_NAME, $uname) || !radius_put_attr($this->connection, RADIUS_USER_PASSWORD, $pass)) {
$this->makeErrorText('RADIUS could not attach username/password: '******'CHAP not supported');
return AUTH_NOUSER;
case RADIUS_ACCESS_REJECT:
// Specifically rejected
// Specifically rejected
default:
// Catch-all
$this->makeErrorText('RADIUS validation error: ');
return AUTH_NOUSER;
}
// User accepted here.
if ($connect_only) {
return AUTH_SUCCESS;
}
return AUTH_SUCCESS;
// Not interested in any attributes returned ATM, so done.
// See if we get any attributes - not really any use to us unless we implement CHAP, so disabled ATM
$attribs = array();
while ($resa = radius_get_attr($this->connection)) {
if (!is_array($resa)) {
$this->makeErrorText("Error getting attribute: ");
exit;
}
// Decode attribute according to type (this isn't an exhaustive list)
// Codes: 2, 3, 4, 5, 30, 31, 32, 60, 61 should never be received by us
// Codes 17, 21 not assigned
switch ($resa['attr']) {
case 8:
// IP address to be set (255.255.255.254 indicates 'allocate your own address')
// IP address to be set (255.255.255.254 indicates 'allocate your own address')
case 9:
// Subnet mask
// Subnet mask
case 14:
// Login-IP host
$attribs[$resa['attr']] = radius_cvt_addr($resa['data']);
break;
case 6:
// Service type (integer bitmap)
// Service type (integer bitmap)
case 7:
// Protocol (integer bitmap)
// Protocol (integer bitmap)
case 10:
// Routing method (integer)
// Routing method (integer)
case 12:
// Framed MTU
// Framed MTU
case 13:
// Compression method
// Compression method
case 15:
// Login service (bitmap)
// Login service (bitmap)
case 16:
// Login TCP port
// Login TCP port
case 23:
// Framed IPX network (0xFFFFFFFE indicates 'allocate your own')
// Framed IPX network (0xFFFFFFFE indicates 'allocate your own')
case 27:
// Session timeout - maximum connection/login time in seconds
// Session timeout - maximum connection/login time in seconds
case 28:
// Idle timeout in seconds
// Idle timeout in seconds
case 29:
// Termination action
// Termination action
case 37:
// AppleTalk link number
// AppleTalk link number
case 38:
// AppleTalk network
// AppleTalk network
case 62:
// Max ports
// Max ports
case 63:
// Login LAT port
$attribs[$resa['attr']] = radius_cvt_int($resa['data']);
break;
case 1:
// User name
// User name
case 11:
// Filter ID - could get several of these
// Filter ID - could get several of these
case 18:
// Reply message (text, various purposes)
// Reply message (text, various purposes)
case 19:
// Callback number
// Callback number
case 20:
// Callback ID
// Callback ID
case 22:
// Framed route - could get several of these
// Framed route - could get several of these
case 24:
// State - used in CHAP
// State - used in CHAP
case 25:
// Class
// Class
case 26:
// Vendor-specific
// Vendor-specific
case 33:
// Proxy State
// Proxy State
case 34:
// Login LAT service
// Login LAT service
case 35:
// Login LAT node
// Login LAT node
case 36:
// Login LAT group
// Login LAT group
case 39:
// AppleTalk zone
// AppleTalk zone
default:
$attribs[$resa['attr']] = radius_cvt_string($resa['data']);
// Default to string type
}
printf("Got Attr: %d => %d Bytes %s\n", $resa['attr'], strlen($attribs[$resa['attr']]), $attribs[$resa['attr']]);
}
return AUTH_SUCCESS;
}
printf("MS CHAPv2 success: %s<br>\n", $mschap2resp);
break;
case RADIUS_MICROSOFT_MS_CHAP_ERROR:
$errormsg = radius_cvt_string(substr($datav, 1));
echo "MS CHAP Error: {$errormsg}<br>\n";
break;
case RADIUS_MICROSOFT_MS_CHAP_DOMAIN:
$domain = radius_cvt_string($datav);
echo "MS CHAP Domain: {$domain}<br>\n";
break;
case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY:
$policy = radius_cvt_int($datav);
echo "MS MPPE Policy: {$policy}<br>\n";
break;
case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES:
$type = radius_cvt_int($datav);
echo "MS MPPE Type: {$type}<br>\n";
break;
case RADIUS_MICROSOFT_MS_CHAP_MPPE_KEYS:
$demangled = radius_demangle($res, $datav);
$lmkey = substr($demangled, 0, 8);
$ntkey = substr($demangled, 8, RADIUS_MPPE_KEY_LEN);
printf("MS MPPE Keys: LM-Key: %s NT-Key: %s<br>\n", bin2hex($lmkey), bin2hex($ntkey));
break;
case RADIUS_MICROSOFT_MS_MPPE_SEND_KEY:
$demangled = radius_demangle_mppe_key($res, $datav);
printf("MS MPPE Send Key: %s<br>\n", bin2hex($demangled));
break;
case RADIUS_MICROSOFT_MS_MPPE_RECV_KEY:
$demangled = radius_demangle_mppe_key($res, $datav);
printf("MS MPPE Send Key: %s<br>\n", bin2hex($demangled));
/**
* authenticate user against radius
* @param $username username to authenticate
* @param $password user password
* @return bool authentication status
*/
public function authenticate($username, $password)
{
$this->lastAuthProperties = array();
// reset auth properties
$radius = radius_auth_open();
$error = null;
if (!radius_add_server($radius, $this->radiusHost, $this->authPort, $this->sharedSecret, $this->timeout, $this->maxRetries)) {
$error = radius_strerror($radius);
} elseif (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
$error = radius_strerror($radius);
} elseif (!radius_put_string($radius, RADIUS_USER_NAME, $username)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_SERVICE_TYPE, RADIUS_LOGIN)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_FRAMED_PROTOCOL, RADIUS_ETHERNET)) {
$error = radius_strerror($radius);
} elseif (!radius_put_string($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_NAS_PORT, 0)) {
$error = radius_strerror($radius);
} elseif (!radius_put_int($radius, RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET)) {
$error = radius_strerror($radius);
} else {
// Implement extra protocols in this section.
switch ($this->protocol) {
case 'PAP':
// do PAP authentication
if (!radius_put_string($radius, RADIUS_USER_PASSWORD, $password)) {
$error = radius_strerror($radius);
}
break;
default:
syslog(LOG_ERR, 'Unsupported protocol ' . $this->protocol);
return false;
}
}
// log errors and perform actual authentication request
if ($error != null) {
syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error));
} else {
$request = radius_send_request($radius);
if (!$radius) {
syslog(LOG_ERR, 'RadiusError:' . radius_strerror($error));
} else {
switch ($request) {
case RADIUS_ACCESS_ACCEPT:
while ($resa = radius_get_attr($radius)) {
switch ($resa['attr']) {
case RADIUS_SESSION_TIMEOUT:
$this->lastAuthProperties['session_timeout'] = radius_cvt_int($resa['data']);
break;
case 85:
// Acct-Interim-Interval
$this->lastAuthProperties['Acct-Interim-Interval'] = radius_cvt_int($resa['data']);
break;
default:
break;
}
}
return true;
break;
case RADIUS_ACCESS_REJECT:
return false;
break;
default:
// unexpected result, log
syslog(LOG_ERR, 'Radius unexpected response:' . $request);
}
}
}
return false;
}