function radiusAuthGetAttributes(&$r_obj)
{
while ($attrib = radius_get_attr($r_obj->res)) {
if (!is_array($attrib)) {
return false;
}
$attr = $attrib['attr'];
$data = $attrib['data'];
$r_obj->rawAttributes[] = array("attr" => $attr, "data" => $data);
switch ($attr) {
case RADIUS_VENDOR_SPECIFIC:
$vavp = radius_get_vendor_attr($data);
if ($vavp['vendor'] == RADIUS_SER_VENDOR) {
if ($vavp['attr'] == RADIUS_SER_UID) {
$r_obj->attributes['ser-attrs']['uid'] = $vavp['data'];
}
}
break;
}
}
return true;
}
throw new Exception('Problem occurred when creating the Radius request: ' . radius_strerror($radius));
}
radius_put_attr($radius, RADIUS_USER_NAME, $_POST['username']);
radius_put_attr($radius, RADIUS_USER_PASSWORD, $_POST['password']);
switch (radius_send_request($radius)) {
case RADIUS_ACCESS_ACCEPT:
// GOOD Login :)
$attributes = array($config->getValue('auth.radius.URNForUsername') => array($_POST['username']));
// get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA
while ($resa = radius_get_attr($radius)) {
if (!is_array($resa)) {
printf("Error getting attribute: %s\n", radius_strerror($res));
exit;
}
if ($resa['attr'] == RADIUS_VENDOR_SPECIFIC) {
$resv = radius_get_vendor_attr($resa['data']);
if (is_array($resv)) {
$vendor = $resv['vendor'];
$attrv = $resv['attr'];
$datav = $resv['data'];
/**
* Uncomment this to debug vendor attributes.
*/
// printf("Got Vendor Attr:%d %d Bytes %s<br/>", $attrv, strlen($datav), bin2hex($datav));
if ($vendor == $config->getValue('auth.radius.vendor') && $attrv == $config->getValue('auth.radius.vendor-attr')) {
$attrib_name = strtok($datav, '=');
$attrib_value = strtok('=');
// if the attribute name is already in result set, add another value
if (array_key_exists($attrib_name, $attributes)) {
$attributes[$attrib_name][] = $attrib_value;
} else {
/**
* Attempt to log in using the given username and password.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the user's attributes.
*/
protected function login($username, $password)
{
assert('is_string($username)');
assert('is_string($password)');
$radius = radius_auth_open();
/* Try to add all radius servers, trigger a failure if no one works. */
$success = false;
foreach ($this->servers as $server) {
if (!isset($server['port'])) {
$server['port'] = 1812;
}
if (!radius_add_server($radius, $server['hostname'], $server['port'], $server['secret'], $this->timeout, $this->retries)) {
SimpleSAML\Logger::info("Could not add radius server: " . radius_strerror($radius));
continue;
}
$success = true;
}
if (!$success) {
throw new Exception('Error adding radius servers, no servers available');
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
throw new Exception('Error creating radius request: ' . radius_strerror($radius));
}
if ($this->realm === null) {
radius_put_attr($radius, RADIUS_USER_NAME, $username);
} else {
radius_put_attr($radius, RADIUS_USER_NAME, $username . '@' . $this->realm);
}
radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
if ($this->nasIdentifier !== null) {
radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier);
}
$res = radius_send_request($radius);
if ($res != RADIUS_ACCESS_ACCEPT) {
switch ($res) {
case RADIUS_ACCESS_REJECT:
/* Invalid username or password. */
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
case RADIUS_ACCESS_CHALLENGE:
throw new Exception('Radius authentication error: Challenge requested, but not supported.');
default:
throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
}
}
/* If we get this far, we have a valid login. */
$attributes = array();
if ($this->usernameAttribute !== null) {
$attributes[$this->usernameAttribute] = array($username);
}
if ($this->vendor === null) {
/*
* We aren't interested in any vendor-specific attributes. We are
* therefore done now.
*/
return $attributes;
}
/* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */
while ($resa = radius_get_attr($radius)) {
if (!is_array($resa)) {
throw new Exception('Error getting radius attributes: ' . radius_strerror($radius));
}
/* Use the received user name */
if ($resa['attr'] == RADIUS_USER_NAME) {
$attributes[$this->usernameAttribute] = array($resa['data']);
continue;
}
if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) {
continue;
}
$resv = radius_get_vendor_attr($resa['data']);
if (!is_array($resv)) {
throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius));
}
$vendor = $resv['vendor'];
$attrv = $resv['attr'];
$datav = $resv['data'];
if ($vendor != $this->vendor || $attrv != $this->vendorType) {
continue;
}
$attrib_name = strtok($datav, '=');
$attrib_value = strtok('=');
/* if the attribute name is already in result set,
add another value */
if (array_key_exists($attrib_name, $attributes)) {
$attributes[$attrib_name][] = $attrib_value;
} else {
$attributes[$attrib_name] = array($attrib_value);
}
}
/* end of contribution */
return $attributes;
}
/**
* Reads all received attributes after sending the request.
*
* This methods stores known attributes in the property attributes,
* all attributes (including known attibutes) are stored in rawAttributes
* or rawVendorAttributes.
* NOTE: call this function also even if the request was rejected, because the
* Server returns usualy an errormessage
*
* @access public
* @return bool true on success, false on error
*/
function getAttributes()
{
while ($attrib = radius_get_attr($this->res)) {
if (!is_array($attrib)) {
return false;
}
$attr = $attrib['attr'];
$data = $attrib['data'];
$this->rawAttributes[$attr] = $data;
switch ($attr) {
case RADIUS_FRAMED_IP_ADDRESS:
$this->attributes['framed_ip'] = radius_cvt_addr($data);
break;
case RADIUS_FRAMED_IP_NETMASK:
$this->attributes['framed_mask'] = radius_cvt_addr($data);
break;
case RADIUS_FRAMED_MTU:
$this->attributes['framed_mtu'] = radius_cvt_int($data);
break;
case RADIUS_FRAMED_COMPRESSION:
$this->attributes['framed_compression'] = radius_cvt_int($data);
break;
case RADIUS_SESSION_TIMEOUT:
$this->attributes['session_timeout'] = radius_cvt_int($data);
break;
case RADIUS_IDLE_TIMEOUT:
$this->attributes['idle_timeout'] = radius_cvt_int($data);
break;
case RADIUS_SERVICE_TYPE:
$this->attributes['service_type'] = radius_cvt_int($data);
break;
case RADIUS_CLASS:
$this->attributes['class'] = radius_cvt_string($data);
break;
case RADIUS_FRAMED_PROTOCOL:
$this->attributes['framed_protocol'] = radius_cvt_int($data);
break;
case RADIUS_FRAMED_ROUTING:
$this->attributes['framed_routing'] = radius_cvt_int($data);
break;
case RADIUS_FILTER_ID:
$this->attributes['filter_id'] = radius_cvt_string($data);
break;
case RADIUS_REPLY_MESSAGE:
$this->attributes['reply_message'] = radius_cvt_string($data);
break;
case RADIUS_VENDOR_SPECIFIC:
$attribv = radius_get_vendor_attr($data);
if (!is_array($attribv)) {
return false;
}
$vendor = $attribv['vendor'];
$attrv = $attribv['attr'];
$datav = $attribv['data'];
$this->rawVendorAttributes[$vendor][$attrv] = $datav;
if ($vendor == RADIUS_VENDOR_MICROSOFT) {
switch ($attrv) {
case RADIUS_MICROSOFT_MS_CHAP2_SUCCESS:
$this->attributes['ms_chap2_success'] = radius_cvt_string($datav);
break;
case RADIUS_MICROSOFT_MS_CHAP_ERROR:
$this->attributes['ms_chap_error'] = radius_cvt_string(substr($datav, 1));
break;
case RADIUS_MICROSOFT_MS_CHAP_DOMAIN:
$this->attributes['ms_chap_domain'] = radius_cvt_string($datav);
break;
case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY:
$this->attributes['ms_mppe_encryption_policy'] = radius_cvt_int($datav);
break;
case RADIUS_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES:
$this->attributes['ms_mppe_encryption_types'] = radius_cvt_int($datav);
break;
case RADIUS_MICROSOFT_MS_CHAP_MPPE_KEYS:
$demangled = radius_demangle($this->res, $datav);
$this->attributes['ms_chap_mppe_lm_key'] = substr($demangled, 0, 8);
$this->attributes['ms_chap_mppe_nt_key'] = substr($demangled, 8, RADIUS_MPPE_KEY_LEN);
break;
case RADIUS_MICROSOFT_MS_MPPE_SEND_KEY:
$this->attributes['ms_chap_mppe_send_key'] = radius_demangle_mppe_key($this->res, $datav);
break;
case RADIUS_MICROSOFT_MS_MPPE_RECV_KEY:
$this->attributes['ms_chap_mppe_recv_key'] = radius_demangle_mppe_key($this->res, $datav);
break;
case RADIUS_MICROSOFT_MS_PRIMARY_DNS_SERVER:
$this->attributes['ms_primary_dns_server'] = radius_cvt_string($datav);
break;
}
}
break;
}
}
return true;
}
break;
case RADIUS_FRAMED_PROTOCOL:
$proto = radius_cvt_int($data);
echo "Protocol: {$proto}<br>\n";
break;
case RADIUS_FRAMED_ROUTING:
$rout = radius_cvt_int($data);
echo "Routing: {$rout}<br>\n";
break;
case RADIUS_FILTER_ID:
$id = radius_cvt_string($data);
echo "Filter ID: {$id}<br>\n";
break;
case RADIUS_VENDOR_SPECIFIC:
//printf ("Vendor specific (%d)<br>\n", $attr);
$resv = radius_get_vendor_attr($data);
if (is_array($resv)) {
$vendor = $resv['vendor'];
$attrv = $resv['attr'];
$datav = $resv['data'];
if ($vendor == RADIUS_VENDOR_MICROSOFT) {
switch ($attrv) {
case RADIUS_MICROSOFT_MS_CHAP2_SUCCESS:
$mschap2resp = radius_cvt_string($datav);
printf("MS CHAPv2 success: %s<br>\n", $mschap2resp);
break;
case RADIUS_MICROSOFT_MS_CHAP_ERROR:
$errormsg = radius_cvt_string(substr($datav, 1));
echo "MS CHAP Error: {$errormsg}<br>\n";
break;
case RADIUS_MICROSOFT_MS_CHAP_DOMAIN:
/**
* Attempt to log in using the given username and password.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the users attributes.
*/
protected function login($username, $password)
{
assert('is_string($username)');
assert('is_string($password)');
$radius = radius_auth_open();
if (!radius_add_server($radius, $this->hostname, $this->port, $this->secret, $this->timeout, $this->retries)) {
throw new Exception('Error connecting to radius server: ' . radius_strerror($radius));
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
throw new Exception('Error creating radius request: ' . radius_strerror($radius));
}
radius_put_attr($radius, RADIUS_USER_NAME, $username);
radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
if ($this->nasIdentifier != NULL) {
radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier);
}
$res = radius_send_request($radius);
if ($res != RADIUS_ACCESS_ACCEPT) {
switch ($res) {
case RADIUS_ACCESS_REJECT:
/* Invalid username or password. */
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
case RADIUS_ACCESS_CHALLENGE:
throw new Exception('Radius authentication error: Challenge requested, but not supported.');
default:
throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
}
}
/* If we get this far, we have a valid login. */
$attributes = array();
if ($this->usernameAttribute !== NULL) {
$attributes[$this->usernameAttribute] = array($username);
}
if ($this->vendor === NULL) {
/*
* We aren't interrested in any vendor-specific attributes. We are
* therefore done now.
*/
return $attributes;
}
/* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */
while ($resa = radius_get_attr($radius)) {
if (!is_array($resa)) {
throw new Exception('Error getting radius attributes: ' . radius_strerror($radius));
}
if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) {
continue;
}
$resv = radius_get_vendor_attr($resa['data']);
if (!is_array($resv)) {
throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius));
}
$vendor = $resv['vendor'];
$attrv = $resv['attr'];
$datav = $resv['data'];
/*
* Uncomment this to debug vendor attributes.
*/
//printf("Got Vendor Attr:%d %d Bytes %s<br/>", $attrv, strlen($datav), bin2hex($datav));
if ($vendor != $this->vendor || $attrv != $this->vendorType) {
continue;
}
$attrib_name = strtok($datav, '=');
$attrib_value = strtok('=');
/* if the attribute name is already in result set, add another value */
if (array_key_exists($attrib_name, $attributes)) {
$attributes[$attrib_name][] = $attrib_value;
} else {
$attributes[$attrib_name] = array($attrib_value);
}
}
/* end of contribution */
return $attributes;
}
