function login($username, $password)
{
$radius = radius_auth_open();
if (!radius_add_server($radius, RADIUS_HOST, RADIUS_PORT, RADIUS_SECRET, RADIUS_TIMEOUT, RADIUS_MAXTRIES)) {
die('Radius Error: ' . radius_strerror($radius));
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
die('Radius Error: ' . radius_strerror($radius));
}
radius_put_attr($radius, RADIUS_USER_NAME, $username);
radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, RADIUS_IDENTIFIER);
$response = radius_send_request($radius);
if ($response == RADIUS_ACCESS_ACCEPT) {
$_SESSION['loggedin'] = $username;
$_SESSION['userlevel'] = RADIUS_USERLEVEL;
//User level set in settings.php
return true;
} else {
if ($response == RADIUS_ACCESS_CHALLENGE) {
//Challenge
return false;
}
}
return false;
}
}
$relaystate = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']);
if (isset($_POST['username'])) {
try {
$radius = radius_auth_open();
// ( resource $radius_handle, string $hostname, int $port, string $secret, int $timeout, int $max_tries )
if (!radius_add_server($radius, $config->getValue('auth.radius.hostname'), $config->getValue('auth.radius.port'), $config->getValue('auth.radius.secret'), 5, 3)) {
SimpleSAML_Logger::critical('AUTH - radius: Problem occurred when connecting to Radius server: ' . radius_strerror($radius));
throw new Exception('Problem occurred when connecting to Radius server: ' . radius_strerror($radius));
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
SimpleSAML_Logger::critical('AUTH - radius: Problem occurred when creating the Radius request: ' . radius_strerror($radius));
throw new Exception('Problem occurred when creating the Radius request: ' . radius_strerror($radius));
}
radius_put_attr($radius, RADIUS_USER_NAME, $_POST['username']);
radius_put_attr($radius, RADIUS_USER_PASSWORD, $_POST['password']);
switch (radius_send_request($radius)) {
case RADIUS_ACCESS_ACCEPT:
// GOOD Login :)
$attributes = array($config->getValue('auth.radius.URNForUsername') => array($_POST['username']));
// get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA
while ($resa = radius_get_attr($radius)) {
if (!is_array($resa)) {
printf("Error getting attribute: %s\n", radius_strerror($res));
exit;
}
if ($resa['attr'] == RADIUS_VENDOR_SPECIFIC) {
$resv = radius_get_vendor_attr($resa['data']);
if (is_array($resv)) {
$vendor = $resv['vendor'];
$attrv = $resv['attr'];
public function prepareRequest($res, $login, $pass, $seed)
{
if (!radius_add_server($res, $this->radiusServer, $this->radiusPort, $this->radiusSecret, 3, 3)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not add server (" . radius_strerror($res) . ")");
return false;
}
if (!radius_create_request($res, RADIUS_ACCESS_REQUEST)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not create request (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_string($res, RADIUS_NAS_IDENTIFIER, isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : 'localhost')) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for nas_identifier (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for service_type (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for framed_protocol (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_string($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1') == -1) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for calling_station_id (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_string($res, RADIUS_USER_NAME, $login)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for user name (" . radius_strerror($res) . ")");
return false;
}
if ($this->radiusAuthType == 'chap') {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Using CHAP.");
mt_srand(time());
$chall = mt_rand();
$chapval = pack('H*', md5(pack('Ca*', 1, $pass . $chall)));
$pass = pack('C', 1) . $chapval;
if (!radius_put_attr($res, RADIUS_CHAP_PASSWORD, $pass)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put attribute for chap password (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_attr($res, RADIUS_CHAP_CHALLENGE, $chall)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put attribute for chap callenge (" . radius_strerror($res) . ")");
return false;
}
} else {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Using PAP.");
if (!radius_put_string($res, RADIUS_USER_PASSWORD, $pass)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put string for pap password (" . radius_strerror($res) . ")");
return false;
}
}
if (!radius_put_int($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for second service type (" . radius_strerror($res) . ")");
return false;
}
if (!radius_put_int($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP)) {
AJXP_Logger::debug(__CLASS__, __FUNCTION__, "RADIUS: Could not put int for second framed protocol (" . radius_strerror($res) . ")");
return false;
}
}
/**
* Attempt to log in using the given username and password.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the user's attributes.
*/
protected function login($username, $password)
{
assert('is_string($username)');
assert('is_string($password)');
$radius = radius_auth_open();
/* Try to add all radius servers, trigger a failure if no one works. */
$success = false;
foreach ($this->servers as $server) {
if (!isset($server['port'])) {
$server['port'] = 1812;
}
if (!radius_add_server($radius, $server['hostname'], $server['port'], $server['secret'], $this->timeout, $this->retries)) {
SimpleSAML\Logger::info("Could not add radius server: " . radius_strerror($radius));
continue;
}
$success = true;
}
if (!$success) {
throw new Exception('Error adding radius servers, no servers available');
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
throw new Exception('Error creating radius request: ' . radius_strerror($radius));
}
if ($this->realm === null) {
radius_put_attr($radius, RADIUS_USER_NAME, $username);
} else {
radius_put_attr($radius, RADIUS_USER_NAME, $username . '@' . $this->realm);
}
radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
if ($this->nasIdentifier !== null) {
radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier);
}
$res = radius_send_request($radius);
if ($res != RADIUS_ACCESS_ACCEPT) {
switch ($res) {
case RADIUS_ACCESS_REJECT:
/* Invalid username or password. */
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
case RADIUS_ACCESS_CHALLENGE:
throw new Exception('Radius authentication error: Challenge requested, but not supported.');
default:
throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
}
}
/* If we get this far, we have a valid login. */
$attributes = array();
if ($this->usernameAttribute !== null) {
$attributes[$this->usernameAttribute] = array($username);
}
if ($this->vendor === null) {
/*
* We aren't interested in any vendor-specific attributes. We are
* therefore done now.
*/
return $attributes;
}
/* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */
while ($resa = radius_get_attr($radius)) {
if (!is_array($resa)) {
throw new Exception('Error getting radius attributes: ' . radius_strerror($radius));
}
/* Use the received user name */
if ($resa['attr'] == RADIUS_USER_NAME) {
$attributes[$this->usernameAttribute] = array($resa['data']);
continue;
}
if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) {
continue;
}
$resv = radius_get_vendor_attr($resa['data']);
if (!is_array($resv)) {
throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius));
}
$vendor = $resv['vendor'];
$attrv = $resv['attr'];
$datav = $resv['data'];
if ($vendor != $this->vendor || $attrv != $this->vendorType) {
continue;
}
$attrib_name = strtok($datav, '=');
$attrib_value = strtok('=');
/* if the attribute name is already in result set,
add another value */
if (array_key_exists($attrib_name, $attributes)) {
$attributes[$attrib_name][] = $attrib_value;
} else {
$attributes[$attrib_name] = array($attrib_value);
}
}
/* end of contribution */
return $attributes;
}
/**
* Puts an attribute.
*
* @access public
* @param integer $attrib Attribute-number
* @param mixed $port Attribute-value
* @param type $type Attribute-type
* @return bool true on success, false on error
*/
function putAttribute($attrib, $value, $type = null)
{
if ($type == null) {
$type = gettype($value);
}
switch ($type) {
case 'integer':
case 'double':
return radius_put_int($this->res, $attrib, $value);
case 'addr':
return radius_put_addr($this->res, $attrib, $value);
case 'string':
default:
return radius_put_attr($this->res, $attrib, $value);
}
}
/**
* Validate login credentials
*
* @param string $uname - The user name requesting access
* @param string $pass - Password to use (usually plain text)
* @param pointer &$newvals - pointer to array to accept other data read from database
* @param boolean $connect_only - TRUE to simply connect to the server
*
* @return integer result (AUTH_xxxx)
*
* On a successful login, &$newvals array is filled with the requested data from the server
*/
function login($uname, $pass, &$newvals, $connect_only = FALSE)
{
// Create authentification request
if (!radius_create_request($this->connection, RADIUS_ACCESS_REQUEST)) {
$this->makeErrorText('RADIUS failed authentification request: ');
return AUTH_NOCONNECT;
}
if (trim($pass) == '') {
return AUTH_BADPASSWORD;
}
// Pick up a blank password - always expect one
// Attach username and password
if (!radius_put_attr($this->connection, RADIUS_USER_NAME, $uname) || !radius_put_attr($this->connection, RADIUS_USER_PASSWORD, $pass)) {
$this->makeErrorText('RADIUS could not attach username/password: '******'CHAP not supported');
return AUTH_NOUSER;
case RADIUS_ACCESS_REJECT:
// Specifically rejected
// Specifically rejected
default:
// Catch-all
$this->makeErrorText('RADIUS validation error: ');
return AUTH_NOUSER;
}
// User accepted here.
if ($connect_only) {
return AUTH_SUCCESS;
}
return AUTH_SUCCESS;
// Not interested in any attributes returned ATM, so done.
// See if we get any attributes - not really any use to us unless we implement CHAP, so disabled ATM
$attribs = array();
while ($resa = radius_get_attr($this->connection)) {
if (!is_array($resa)) {
$this->makeErrorText("Error getting attribute: ");
exit;
}
// Decode attribute according to type (this isn't an exhaustive list)
// Codes: 2, 3, 4, 5, 30, 31, 32, 60, 61 should never be received by us
// Codes 17, 21 not assigned
switch ($resa['attr']) {
case 8:
// IP address to be set (255.255.255.254 indicates 'allocate your own address')
// IP address to be set (255.255.255.254 indicates 'allocate your own address')
case 9:
// Subnet mask
// Subnet mask
case 14:
// Login-IP host
$attribs[$resa['attr']] = radius_cvt_addr($resa['data']);
break;
case 6:
// Service type (integer bitmap)
// Service type (integer bitmap)
case 7:
// Protocol (integer bitmap)
// Protocol (integer bitmap)
case 10:
// Routing method (integer)
// Routing method (integer)
case 12:
// Framed MTU
// Framed MTU
case 13:
// Compression method
// Compression method
case 15:
// Login service (bitmap)
// Login service (bitmap)
case 16:
// Login TCP port
// Login TCP port
case 23:
// Framed IPX network (0xFFFFFFFE indicates 'allocate your own')
// Framed IPX network (0xFFFFFFFE indicates 'allocate your own')
case 27:
// Session timeout - maximum connection/login time in seconds
// Session timeout - maximum connection/login time in seconds
case 28:
// Idle timeout in seconds
// Idle timeout in seconds
case 29:
// Termination action
// Termination action
case 37:
// AppleTalk link number
// AppleTalk link number
case 38:
// AppleTalk network
// AppleTalk network
case 62:
// Max ports
// Max ports
case 63:
// Login LAT port
$attribs[$resa['attr']] = radius_cvt_int($resa['data']);
break;
case 1:
// User name
// User name
case 11:
// Filter ID - could get several of these
// Filter ID - could get several of these
case 18:
// Reply message (text, various purposes)
// Reply message (text, various purposes)
case 19:
// Callback number
// Callback number
case 20:
// Callback ID
// Callback ID
case 22:
// Framed route - could get several of these
// Framed route - could get several of these
case 24:
// State - used in CHAP
// State - used in CHAP
case 25:
// Class
// Class
case 26:
// Vendor-specific
// Vendor-specific
case 33:
// Proxy State
// Proxy State
case 34:
// Login LAT service
// Login LAT service
case 35:
// Login LAT node
// Login LAT node
case 36:
// Login LAT group
// Login LAT group
case 39:
// AppleTalk zone
// AppleTalk zone
default:
$attribs[$resa['attr']] = radius_cvt_string($resa['data']);
// Default to string type
}
printf("Got Attr: %d => %d Bytes %s\n", $resa['attr'], strlen($attribs[$resa['attr']]), $attribs[$resa['attr']]);
}
return AUTH_SUCCESS;
}
/**
* Find out if a set of login credentials are valid.
*
* @param string $username The userId to check.
* @param array $credentials An array of login credentials.
* For radius, this must contain a password
* entry.
*
* @throws Horde_Auth_Exception
*/
protected function _authenticate($username, $credentials)
{
/* Password is required. */
if (!isset($credentials['password'])) {
throw new Horde_Auth_Exception('Password required for RADIUS authentication.');
}
$res = radius_auth_open();
radius_add_server($res, $this->_params['host'], $this->_params['port'], $this->_params['secret'], $this->_params['timeout'], $this->_params['retries']);
radius_create_request($res, RADIUS_ACCESS_REQUEST);
radius_put_attr($res, RADIUS_NAS_IDENTIFIER, $this->_params['nas']);
radius_put_attr($res, RADIUS_NAS_PORT_TYPE, RADIUS_VIRTUAL);
radius_put_attr($res, RADIUS_SERVICE_TYPE, RADIUS_FRAMED);
radius_put_attr($res, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP);
radius_put_attr($res, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : '127.0.0.1');
/* Insert username/password into request. */
radius_put_attr($res, RADIUS_USER_NAME, $username);
radius_put_attr($res, RADIUS_USER_PASSWORD, $credentials['password']);
/* Send request. */
$success = radius_send_request($res);
switch ($success) {
case RADIUS_ACCESS_ACCEPT:
break;
case RADIUS_ACCESS_REJECT:
throw new Horde_Auth_Exception('Authentication rejected by RADIUS server.');
default:
throw new Horde_Auth_Exception(radius_strerror($res));
}
}
}
if ($auth_type == 'chap') {
echo "CHAP<br>\n";
/* generate Challenge */
mt_srand(time());
$chall = mt_rand();
// FYI: CHAP = md5(ident + plaintextpass + challenge)
$chapval = pack('H*', md5(pack('Ca*', 1, $password . $chall)));
// $chapval = md5(pack('Ca*',1 , $password . $chall));
// Radius wants the CHAP Ident in the first byte of the CHAP-Password
$pass = pack('C', 1) . $chapval;
if (!radius_put_attr($res, RADIUS_CHAP_PASSWORD, $pass)) {
echo 'RadiusError: RADIUS_CHAP_PASSWORD:'******'RadiusError: RADIUS_CHAP_CHALLENGE:' . radius_strerror($res) . "<br>\n";
exit;
}
} else {
if ($auth_type == 'mschapv1') {
echo "MS-CHAPv1<br>\n";
include_once 'mschap.php';
$challenge = GenerateChallenge();
printf("Challenge:%s\n", bin2hex($challenge));
if (!radius_put_vendor_attr($res, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge)) {
echo 'RadiusError: RADIUS_MICROSOFT_MS_CHAP_CHALLENGE:' . radius_strerror($res) . "<br>\n";
exit;
}
$ntresp = ChallengeResponse($challenge, NtPasswordHash($password));
$lmresp = str_repeat("", 24);
/**
* Attempt to log in using the given username and password.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the users attributes.
*/
protected function login($username, $password)
{
assert('is_string($username)');
assert('is_string($password)');
$radius = radius_auth_open();
if (!radius_add_server($radius, $this->hostname, $this->port, $this->secret, $this->timeout, $this->retries)) {
throw new Exception('Error connecting to radius server: ' . radius_strerror($radius));
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
throw new Exception('Error creating radius request: ' . radius_strerror($radius));
}
radius_put_attr($radius, RADIUS_USER_NAME, $username);
radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
if ($this->nasIdentifier != NULL) {
radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier);
}
$res = radius_send_request($radius);
if ($res != RADIUS_ACCESS_ACCEPT) {
switch ($res) {
case RADIUS_ACCESS_REJECT:
/* Invalid username or password. */
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
case RADIUS_ACCESS_CHALLENGE:
throw new Exception('Radius authentication error: Challenge requested, but not supported.');
default:
throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
}
}
/* If we get this far, we have a valid login. */
$attributes = array();
if ($this->usernameAttribute !== NULL) {
$attributes[$this->usernameAttribute] = array($username);
}
if ($this->vendor === NULL) {
/*
* We aren't interrested in any vendor-specific attributes. We are
* therefore done now.
*/
return $attributes;
}
/* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */
while ($resa = radius_get_attr($radius)) {
if (!is_array($resa)) {
throw new Exception('Error getting radius attributes: ' . radius_strerror($radius));
}
if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) {
continue;
}
$resv = radius_get_vendor_attr($resa['data']);
if (!is_array($resv)) {
throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius));
}
$vendor = $resv['vendor'];
$attrv = $resv['attr'];
$datav = $resv['data'];
/*
* Uncomment this to debug vendor attributes.
*/
//printf("Got Vendor Attr:%d %d Bytes %s<br/>", $attrv, strlen($datav), bin2hex($datav));
if ($vendor != $this->vendor || $attrv != $this->vendorType) {
continue;
}
$attrib_name = strtok($datav, '=');
$attrib_value = strtok('=');
/* if the attribute name is already in result set, add another value */
if (array_key_exists($attrib_name, $attributes)) {
$attributes[$attrib_name][] = $attrib_value;
} else {
$attributes[$attrib_name] = array($attrib_value);
}
}
/* end of contribution */
return $attributes;
}
/**
* Authenticate the configured user
*
* @return Zend\Authentication\Result
*/
public function authenticate()
{
//Create RADIUS request
radius_create_request($this->radius, RADIUS_ACCESS_REQUEST);
if ($this->getUsername()) {
radius_put_attr($this->radius, RADIUS_USER_NAME, $this->getUsername() . $this->getAuthenticationRealm());
}
if ($this->getPassword()) {
radius_put_attr($this->radius, RADIUS_USER_PASSWORD, $this->getPassword());
}
//Send
$result = radius_send_request($this->radius);
switch ($result) {
case RADIUS_ACCESS_ACCEPT:
return new Authentication\Result(Authentication\Result::SUCCESS, $this->getUsername());
case RADIUS_ACCESS_REJECT:
return new Authentication\Result(Authentication\Result::FAILURE_CREDENTIAL_INVALID, $this->getUsername(), array(radius_strerror($this->radius)));
default:
var_dump($result);
# don't do this!
return new Authentication\Result(Authentication\Result::FAILURE_UNCATEGORIZED, $this->getUsername(), array(radius_strerror($this->radius)));
}
}
/**
* Check username and password against RADIUS authentication backend.
*
* @param string $username User name to check
* @param string $password User password to check
* @return int Authentication success (0 = fail, 1 = success) FIXME bool
*/
function radius_authenticate($username, $password)
{
global $config, $rad;
radius_init();
if ($username && $rad) {
//print_vars(radius_server_secret($rad));
radius_create_request($rad, RADIUS_ACCESS_REQUEST);
radius_put_attr($rad, RADIUS_USER_NAME, $username);
switch (strtolower($config['auth_radius_method'])) {
// CHAP-MD5 see RFC1994
case 'chap':
case 'chap_md5':
$chapid = 1;
// Specify a CHAP identifier
//$challenge = mt_rand(); // Generate a challenge
//$cresponse = md5(pack('Ca*', $chapid, $password.$challenge), TRUE);
new Crypt_CHAP();
// Pre load class
$crpt = new Crypt_CHAP_MD5();
$crpt->password = $password;
$challenge = $crpt->challenge;
$resp_md5 = $crpt->challengeResponse();
$resp = pack('C', $chapid) . $resp_md5;
radius_put_attr($rad, RADIUS_CHAP_PASSWORD, $resp);
// Add the Chap-Password attribute
radius_put_attr($rad, RADIUS_CHAP_CHALLENGE, $challenge);
// Add the Chap-Challenge attribute.
break;
// MS-CHAPv1 see RFC2433
// MS-CHAPv1 see RFC2433
case 'mschapv1':
$chapid = 1;
// Specify a CHAP identifier
$flags = 1;
// 0 = use LM-Response, 1 = use NT-Response (we not use old LM)
new Crypt_CHAP();
// Pre load class
$crpt = new Crypt_CHAP_MSv1();
$crpt->password = $password;
$challenge = $crpt->challenge;
$resp_lm = str_repeat("", 24);
$resp_nt = $crpt->challengeResponse();
$resp = pack('CC', $chapid, $flags) . $resp_lm . $resp_nt;
radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_RESPONSE, $resp);
radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge);
break;
// MS-CHAPv2 see RFC2759
// MS-CHAPv2 see RFC2759
case 'mschapv2':
$chapid = 1;
// Specify a CHAP identifier
$flags = 1;
// 0 = use LM-Response, 1 = use NT-Response (we not use old LM)
new Crypt_CHAP();
// Pre load class
$crpt = new Crypt_CHAP_MSv2();
$crpt->username = $username;
$crpt->password = $password;
$challenge = $crpt->authChallenge;
$challenge_p = $crpt->peerChallenge;
$resp_nt = $crpt->challengeResponse();
// Response: chapid, flags (1 = use NT Response), Peer challenge, reserved, Response
$resp = pack('CCa16a8a24', $chapid, $flags, $challenge_p, str_repeat("", 8), $resp_nt);
radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP2_RESPONSE, $resp);
radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge);
break;
// PAP (Plaintext)
// PAP (Plaintext)
default:
radius_put_attr($rad, RADIUS_USER_PASSWORD, $password);
}
// Puts standard attributes
$radius_ip = get_ip_version($config['auth_radius_nas_address']) ? $config['auth_radius_nas_address'] : $_SERVER['SERVER_ADDR'];
if (get_ip_version($radius_ip) == 6) {
// FIXME, not sure that this work correctly
radius_put_attr($rad, RADIUS_NAS_IPV6_ADDRESS, $radius_ip);
} else {
radius_put_addr($rad, RADIUS_NAS_IP_ADDRESS, $radius_ip);
}
$radius_id = empty($config['auth_radius_id']) ? get_localhost() : $config['auth_radius_id'];
radius_put_attr($rad, RADIUS_NAS_IDENTIFIER, $radius_id);
//radius_put_attr($rad, RADIUS_NAS_PORT_TYPE, RADIUS_VIRTUAL);
//radius_put_attr($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED);
//radius_put_attr($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP);
radius_put_attr($rad, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1');
$response = radius_send_request($rad);
//print_vars($response);
switch ($response) {
case RADIUS_ACCESS_ACCEPT:
// An Access-Accept response to an Access-Request indicating that the RADIUS server authenticated the user successfully.
//echo 'Authentication successful';
return 1;
break;
case RADIUS_ACCESS_REJECT:
// An Access-Reject response to an Access-Request indicating that the RADIUS server could not authenticate the user.
//echo 'Authentication failed';
break;
case RADIUS_ACCESS_CHALLENGE:
// An Access-Challenge response to an Access-Request indicating that the RADIUS server requires further information
// in another Access-Request before authenticating the user.
//echo 'Challenge required';
break;
default:
print_error('A RADIUS error has occurred: ' . radius_strerror($rad));
}
}
//session_logout();
return 0;
}
/**
* Perform authentication using a RADIUS server.
*
* @param Mfa_OtpdeviceDao $otpDevice
* @param Mfa_ApitokenDao $token
* @throws Zend_Exception
*/
protected function _radiusauth($otpDevice, $token)
{
/** @var SettingModel $settingModel */
$settingModel = MidasLoader::loadModel('Setting');
$radiusserver = $settingModel->GetValueByName('radiusServer', 'mfa');
$radiusport = $settingModel->GetValueByName('radiusPort', 'mfa');
$radiuspw = $settingModel->GetValueByName('radiusPassword', 'mfa');
$radiusTimeout = $settingModel->GetValueByName('radiusTimeout', 'mfa');
$radiusMaxTries = $settingModel->GetValueByName('radiusMaxTries', 'mfa');
if (!function_exists('radius_auth_open')) {
throw new Zend_Exception('RADIUS is not enabled on the server');
}
$this->getLogger()->debug('Midas Server RADIUS trying to authenticate user: '******'Cannot connect to the RADIUS server: ' . radius_strerror($rh));
}
if (!radius_create_request($rh, RADIUS_ACCESS_REQUEST)) {
throw new Zend_Exception('Cannot process requests to RADIUS server: ' . radius_strerror($rh));
}
/* this is the key parameter */
radius_put_attr($rh, RADIUS_USER_NAME, $otpDevice->getSecret());
/* this is the one time pin + 6-digit hard token or 8 digit smart token */
radius_put_attr($rh, RADIUS_USER_PASSWORD, $token);
switch (radius_send_request($rh)) {
case RADIUS_ACCESS_ACCEPT:
$this->getLogger()->debug('Midas Server RADIUS successful authentication ' . 'for ' . $otpDevice->getSecret());
return true;
case RADIUS_ACCESS_REJECT:
$this->getLogger()->info('Midas Server RADIUS failed authentication for ' . $otpDevice->getSecret());
return false;
case RADIUS_ACCESS_CHALLENGE:
$this->getLogger()->info('Midas Server RADIUS challenge requested for ' . $otpDevice->getSecret());
return false;
default:
$this->getLogger()->info('Midas Server RADIUS error during authentication ' . 'for ' . $otpDevice->getSecret() . ' with Token: ' . $token . '. Error: ' . radius_strerror($rh));
throw new Zend_Exception('Error during RADIUS authentication: ' . radius_strerror($rh));
}
}
