[ previous ] [ next ] [ threads ]
 
 From:  "Bernie O'Connor" <Bernie dot OConnor at sas dot com>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  1.2b9 - authcode patch with updates to work with Cisco ACS Radius server
 Date:  Wed, 17 Aug 2005 11:11:10 -0400
This adds capability for a new variable in the user specified Captive Portal page: auth_code. 
Auth_code represents a one-time use passcode in lieu of userid/password.  The code  presumes that an
entered passcode represents the userid and password values to be sent to the radius server.  We
pre-print these codes on card stock that looks like a bookmark and distribute to visitors as needed
for internet access.  Backend code on the radius server turns off the passcode after the day of its
onetime use.  Didn't know if anyone else would be interested in this sort of thing...I'm not a PHP
coder, so there isn't anything that prevents someone from entering  userid/password and passcode at
the same time in this simple patch.

Update:  added the radius attributes to allow m0n0wall to work with Cisco ACS Radius server.
-----------------------------------------
diff -Naurc 1.2b9-dist/mfs/usr/local/captiveportal/index.php
1.2b9-dev/mfs/usr/local/captiveportal/index.php
*** 1.2b9-dist/mfs/usr/local/captiveportal/index.php	Sun Jun 19 05:58:27 2005
--- 1.2b9-dev/mfs/usr/local/captiveportal/index.php	Mon Aug 15 12:31:31 2005
***************
*** 66,82 ****
  	/* authenticate against radius server */
  	$radiusservers = captiveportal_get_radius_servers();
  	
! 	if ($_POST['auth_user'] && $_POST['auth_pass']) {
! 		$auth_val = RADIUS_AUTHENTICATION($_POST['auth_user'],
! 										  $_POST['auth_pass'],
  							  			  $radiusservers[0]['ipaddr'],
  							  			  $radiusservers[0]['port'],
! 							  			  $radiusservers[0]['key']);
  		if ($auth_val == 2) {
! 			captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");
! 			$sessionid = portal_allow($clientip, $clientmac, $_POST['auth_user'], $_POST['auth_pass']);
  			if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
! 				$auth_val = RADIUS_ACCOUNTING_START($_POST['auth_user'],
  													$sessionid,
  													$radiusservers[0]['ipaddr'],
  													$radiusservers[0]['acctport'],
--- 66,94 ----
  	/* authenticate against radius server */
  	$radiusservers = captiveportal_get_radius_servers();
  	
!         $radius_user = $_POST['auth_user'];
!         $radius_pass = $_POST['auth_pass'];
!         $radius_code = $_POST['auth_code'];
! 
!         /* if we have a code, then use code as both userid and password *blo* */
!         if ($radius_code) {
!                 $radius_user =  $radius_code;
!                 $radius_pass =  $radius_code;
! #                print "second user: .$radius_user. pass: .$radius_pass. code: .$radius_code.";
!                 }
! 
! 	if ($radius_user && $radius_pass) {
! 		$auth_val = RADIUS_AUTHENTICATION($radius_user,
! 										  $radius_pass,
  							  			  $radiusservers[0]['ipaddr'],
  							  			  $radiusservers[0]['port'],
! 							  			  $radiusservers[0]['key'],
!   $clientip);
  		if ($auth_val == 2) {
! 			captiveportal_logportalauth($radius_user,$clientmac,$clientip,"LOGIN");
! 			$sessionid = portal_allow($clientip, $clientmac, $radius_user, $radius_pass);
  			if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
! 				$auth_val = RADIUS_ACCOUNTING_START($radius_user,
  													$sessionid,
  													$radiusservers[0]['ipaddr'],
  													$radiusservers[0]['acctport'],
***************
*** 84,90 ****
  													$clientip);
  			}
  		} else {
! 			captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");
  			readfile("{$g['varetc_path']}/captiveportal-error.html");
  		}
  	} else {
--- 96,102 ----
  													$clientip);
  			}
  		} else {
! 			captiveportal_logportalauth($radius_user,$clientmac,$clientip,"FAILURE");
  			readfile("{$g['varetc_path']}/captiveportal-error.html");
  		}
  	} else {
***************
*** 96,111 ****
  	//check against local usermanager
  
  	//erase expired accounts
! 	if(trim($config['users'][$_POST['auth_user']]['expirationdate'])!="" && strtotime("-1
day")>strtotime($config['users'][$_POST['auth_user']]['expirationdate'])){
! 		unset($config['users'][$_POST['auth_user']]);
  		write_config();
  	}
  
! 	if($config['users'][$_POST['auth_user']]['password']==md5($_POST['auth_pass'])){
! 		captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");
! 		portal_allow($clientip, $clientmac,$_POST['auth_user'],0,0);
  	} else {
! 		captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");
  		readfile("{$g['varetc_path']}/captiveportal-error.html");
  	}
  } else if ($_POST['accept'] && $clientip) {
--- 108,123 ----
  	//check against local usermanager
  
  	//erase expired accounts
! 	if(trim($config['users'][$radius_user]['expirationdate'])!="" && strtotime("-1
day")>strtotime($config['users'][$radius_user]['expirationdate'])){
! 		unset($config['users'][$radius_user]);
  		write_config();
  	}
  
! 	if($config['users'][$radius_user]['password']==md5($radius_pass)){
! 		captiveportal_logportalauth($radius_user,$clientmac,$clientip,"LOGIN");
! 		portal_allow($clientip, $clientmac,$radius_user,0,0);
  	} else {
! 		captiveportal_logportalauth($radius_user,$clientmac,$clientip,"FAILURE");
  		readfile("{$g['varetc_path']}/captiveportal-error.html");
  	}
  } else if ($_POST['accept'] && $clientip) {
diff -Naurc 1.2b9-dist/mfs/usr/local/captiveportal/radius_authentication.inc
1.2b9-dev/mfs/usr/local/captiveportal/radius_authentication.inc
*** 1.2b9-dist/mfs/usr/local/captiveportal/radius_authentication.inc	Sun Jun 19 05:58:27 2005
--- 1.2b9-dev/mfs/usr/local/captiveportal/radius_authentication.inc	Wed Aug 17 14:47:04 2005
***************
*** 28,34 ****
  	// was also fixed and patches submitted to Edwin. This bug would
  	// have caused authentication to fail on every access.
  
! function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiuskey) {
  	$sharedsecret=$radiuskey ;
  	# $debug = 1 ;
  
--- 28,34 ----
  	// was also fixed and patches submitted to Edwin. This bug would
  	// have caused authentication to fail on every access.
  
! function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiuskey,$clientip) {
  	$sharedsecret=$radiuskey ;
  	# $debug = 1 ;
  
***************
*** 44,50 ****
  	stream_set_timeout($fd, 5) ;
  
  	if ($debug)
! 	    echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n";
  
  	$RA=pack("CCCCCCCCCCCCCCCC",				// auth code
  	    1+rand()%255, 1+rand()%255, 1+rand()%255, 1+rand()%255,
--- 44,50 ----
  	stream_set_timeout($fd, 5) ;
  
  	if ($debug)
! 	    echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username:
$username<br>clientip:  $clientip<hr>\n";
  
  	$RA=pack("CCCCCCCCCCCCCCCC",				// auth code
  	    1+rand()%255, 1+rand()%255, 1+rand()%255, 1+rand()%255,
***************
*** 60,78 ****
  		2+strlen($username)+		// username
  		2+strlen($encryptedpassword)+	// userpassword
  		2+strlen($nasHostname[0])+			// nasIdentifier
  		6+				// nasPort
  		6;				// nasPortType
  
  	$thisidentifier=rand()%256;
  	//          v   v v     v   v   v   v     v     v
  	// Line #   1   2 3     4   5   6   7     8     E
! 	$data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCCCCCCCCCCC",
  	    1,$thisidentifier,$length/256,$length%256,		// header
  	    $RA,						// authcode
  	    6,6,0,0,0,1,					// service type
  	    1,2+strlen($username),$username,			// username
  	    2,2+strlen($encryptedpassword),$encryptedpassword,	// userpassword
  	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
  	    5,6,0,0,0,0,						// nasPort
  	    61,6,0,0,0,15						// nasPortType = Ethernet
  	    );
--- 60,80 ----
  		2+strlen($username)+		// username
  		2+strlen($encryptedpassword)+	// userpassword
  		2+strlen($nasHostname[0])+			// nasIdentifier
+ 		2+strlen($clientip)+		// Calling-Station-ID
  		6+				// nasPort
  		6;				// nasPortType
  
  	$thisidentifier=rand()%256;
  	//          v   v v     v   v   v   v     v     v
  	// Line #   1   2 3     4   5   6   7     8     E
! 	$data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCA*CCCCCCCCCCCC",
  	    1,$thisidentifier,$length/256,$length%256,		// header
  	    $RA,						// authcode
  	    6,6,0,0,0,1,					// service type
  	    1,2+strlen($username),$username,			// username
  	    2,2+strlen($encryptedpassword),$encryptedpassword,	// userpassword
  	    32,2+strlen($nasHostname[0]),$nasHostname[0],	// nasIdentifier
+ 	    31,2+strlen($clientip),$clientip,			// Calling-Station-ID
  	    5,6,0,0,0,0,						// nasPort
  	    61,6,0,0,0,15						// nasPortType = Ethernet
  	    );
***************
*** 81,86 ****
--- 83,89 ----
  		echo "username is $username with len " . strlen($username) ."\n" ;
  		echo "encryptedpassword is $encryptedpassword with len " . strlen($encryptedpassword) ."\n" ;
  		echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ;
+ 		echo "clientip is $clientip with len " . strlen($clientip) . "\n" ;
  	}	
  
  	$ret = fwrite($fd,$data) ;