This adds capability for a new variable in the user specified Captive Portal page: auth_code.
Auth_code represents a one-time use passcode in lieu of userid/password. The code presumes that an
entered passcode represents the userid and password values to be sent to the radius server. We
pre-print these codes on card stock that looks like a bookmark and distribute to visitors as needed
for internet access. Backend code on the radius server turns off the passcode after the day of its
onetime use. Didn't know if anyone else would be interested in this sort of thing...I'm not a PHP
coder, so there isn't anything that prevents someone from entering userid/password and passcode at
the same time in this simple patch.
Update: added the radius attributes to allow m0n0wall to work with Cisco ACS Radius server.
-----------------------------------------
diff -Naurc 1.2b9-dist/mfs/usr/local/captiveportal/index.php
1.2b9-dev/mfs/usr/local/captiveportal/index.php
*** 1.2b9-dist/mfs/usr/local/captiveportal/index.php Sun Jun 19 05:58:27 2005
--- 1.2b9-dev/mfs/usr/local/captiveportal/index.php Mon Aug 15 12:31:31 2005
***************
*** 66,82 ****
/* authenticate against radius server */
$radiusservers = captiveportal_get_radius_servers();
! if ($_POST['auth_user'] && $_POST['auth_pass']) {
! $auth_val = RADIUS_AUTHENTICATION($_POST['auth_user'],
! $_POST['auth_pass'],
$radiusservers[0]['ipaddr'],
$radiusservers[0]['port'],
! $radiusservers[0]['key']);
if ($auth_val == 2) {
! captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");
! $sessionid = portal_allow($clientip, $clientmac, $_POST['auth_user'], $_POST['auth_pass']);
if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
! $auth_val = RADIUS_ACCOUNTING_START($_POST['auth_user'],
$sessionid,
$radiusservers[0]['ipaddr'],
$radiusservers[0]['acctport'],
--- 66,94 ----
/* authenticate against radius server */
$radiusservers = captiveportal_get_radius_servers();
! $radius_user = $_POST['auth_user'];
! $radius_pass = $_POST['auth_pass'];
! $radius_code = $_POST['auth_code'];
!
! /* if we have a code, then use code as both userid and password *blo* */
! if ($radius_code) {
! $radius_user = $radius_code;
! $radius_pass = $radius_code;
! # print "second user: .$radius_user. pass: .$radius_pass. code: .$radius_code.";
! }
!
! if ($radius_user && $radius_pass) {
! $auth_val = RADIUS_AUTHENTICATION($radius_user,
! $radius_pass,
$radiusservers[0]['ipaddr'],
$radiusservers[0]['port'],
! $radiusservers[0]['key'],
! $clientip);
if ($auth_val == 2) {
! captiveportal_logportalauth($radius_user,$clientmac,$clientip,"LOGIN");
! $sessionid = portal_allow($clientip, $clientmac, $radius_user, $radius_pass);
if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
! $auth_val = RADIUS_ACCOUNTING_START($radius_user,
$sessionid,
$radiusservers[0]['ipaddr'],
$radiusservers[0]['acctport'],
***************
*** 84,90 ****
$clientip);
}
} else {
! captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");
readfile("{$g['varetc_path']}/captiveportal-error.html");
}
} else {
--- 96,102 ----
$clientip);
}
} else {
! captiveportal_logportalauth($radius_user,$clientmac,$clientip,"FAILURE");
readfile("{$g['varetc_path']}/captiveportal-error.html");
}
} else {
***************
*** 96,111 ****
//check against local usermanager
//erase expired accounts
! if(trim($config['users'][$_POST['auth_user']]['expirationdate'])!="" && strtotime("-1
day")>strtotime($config['users'][$_POST['auth_user']]['expirationdate'])){
! unset($config['users'][$_POST['auth_user']]);
write_config();
}
! if($config['users'][$_POST['auth_user']]['password']==md5($_POST['auth_pass'])){
! captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");
! portal_allow($clientip, $clientmac,$_POST['auth_user'],0,0);
} else {
! captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");
readfile("{$g['varetc_path']}/captiveportal-error.html");
}
} else if ($_POST['accept'] && $clientip) {
--- 108,123 ----
//check against local usermanager
//erase expired accounts
! if(trim($config['users'][$radius_user]['expirationdate'])!="" && strtotime("-1
day")>strtotime($config['users'][$radius_user]['expirationdate'])){
! unset($config['users'][$radius_user]);
write_config();
}
! if($config['users'][$radius_user]['password']==md5($radius_pass)){
! captiveportal_logportalauth($radius_user,$clientmac,$clientip,"LOGIN");
! portal_allow($clientip, $clientmac,$radius_user,0,0);
} else {
! captiveportal_logportalauth($radius_user,$clientmac,$clientip,"FAILURE");
readfile("{$g['varetc_path']}/captiveportal-error.html");
}
} else if ($_POST['accept'] && $clientip) {
diff -Naurc 1.2b9-dist/mfs/usr/local/captiveportal/radius_authentication.inc
1.2b9-dev/mfs/usr/local/captiveportal/radius_authentication.inc
*** 1.2b9-dist/mfs/usr/local/captiveportal/radius_authentication.inc Sun Jun 19 05:58:27 2005
--- 1.2b9-dev/mfs/usr/local/captiveportal/radius_authentication.inc Wed Aug 17 14:47:04 2005
***************
*** 28,34 ****
// was also fixed and patches submitted to Edwin. This bug would
// have caused authentication to fail on every access.
! function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiuskey) {
$sharedsecret=$radiuskey ;
# $debug = 1 ;
--- 28,34 ----
// was also fixed and patches submitted to Edwin. This bug would
// have caused authentication to fail on every access.
! function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiuskey,$clientip) {
$sharedsecret=$radiuskey ;
# $debug = 1 ;
***************
*** 44,50 ****
stream_set_timeout($fd, 5) ;
if ($debug)
! echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n";
$RA=pack("CCCCCCCCCCCCCCCC", // auth code
1+rand()%255, 1+rand()%255, 1+rand()%255, 1+rand()%255,
--- 44,50 ----
stream_set_timeout($fd, 5) ;
if ($debug)
! echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username:
$username<br>clientip: $clientip<hr>\n";
$RA=pack("CCCCCCCCCCCCCCCC", // auth code
1+rand()%255, 1+rand()%255, 1+rand()%255, 1+rand()%255,
***************
*** 60,78 ****
2+strlen($username)+ // username
2+strlen($encryptedpassword)+ // userpassword
2+strlen($nasHostname[0])+ // nasIdentifier
6+ // nasPort
6; // nasPortType
$thisidentifier=rand()%256;
// v v v v v v v v v
// Line # 1 2 3 4 5 6 7 8 E
! $data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCCCCCCCCCCC",
1,$thisidentifier,$length/256,$length%256, // header
$RA, // authcode
6,6,0,0,0,1, // service type
1,2+strlen($username),$username, // username
2,2+strlen($encryptedpassword),$encryptedpassword, // userpassword
32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier
5,6,0,0,0,0, // nasPort
61,6,0,0,0,15 // nasPortType = Ethernet
);
--- 60,80 ----
2+strlen($username)+ // username
2+strlen($encryptedpassword)+ // userpassword
2+strlen($nasHostname[0])+ // nasIdentifier
+ 2+strlen($clientip)+ // Calling-Station-ID
6+ // nasPort
6; // nasPortType
$thisidentifier=rand()%256;
// v v v v v v v v v
// Line # 1 2 3 4 5 6 7 8 E
! $data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCA*CCCCCCCCCCCC",
1,$thisidentifier,$length/256,$length%256, // header
$RA, // authcode
6,6,0,0,0,1, // service type
1,2+strlen($username),$username, // username
2,2+strlen($encryptedpassword),$encryptedpassword, // userpassword
32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier
+ 31,2+strlen($clientip),$clientip, // Calling-Station-ID
5,6,0,0,0,0, // nasPort
61,6,0,0,0,15 // nasPortType = Ethernet
);
***************
*** 81,86 ****
--- 83,89 ----
echo "username is $username with len " . strlen($username) ."\n" ;
echo "encryptedpassword is $encryptedpassword with len " . strlen($encryptedpassword) ."\n" ;
echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ;
+ echo "clientip is $clientip with len " . strlen($clientip) . "\n" ;
}
$ret = fwrite($fd,$data) ; |
