#!/usr/local/bin/php
<?php
/*
- $Id$
- part of m0n0wall (http://m0n0.ch/wall)
-
- Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
+ $Id$
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
*/
require_once("functions.inc");
$clientip = $_ENV['REMOTE_ADDR'];
if (!$clientip) {
- /* not good - bail out */
- exit;
+ /* not good - bail out */
+ exit;
}
if (isset($config['captiveportal']['httpslogin']))
- $ourhostname = $config['captiveportal']['httpsname'] . ":8001";
+ $ourhostname = $config['captiveportal']['httpsname'] . ":8001";
else
- $ourhostname = $config['interfaces'][$config['captiveportal']['interface']]['ipaddr'] . ":8000";
+ $ourhostname = $config['interfaces'][$config['captiveportal']['interface']]['ipaddr'] . ":8000";
if ($orig_host != $ourhostname) {
- /* the client thinks it's connected to the desired web server, but instead
- it's connected to us. Issue a redirect... */
-
- if (isset($config['captiveportal']['httpslogin']))
- header("Location: https://{$ourhostname}/?redirurl=" . urlencode("http://{$orig_host}{$orig_request}"));
- else
- header("Location: http://{$ourhostname}/?redirurl=" . urlencode("http://{$orig_host}{$orig_request}"));
-
- exit;
+ /* the client thinks it's connected to the desired web server, but instead
+ it's connected to us. Issue a redirect... */
+
+ if (isset($config['captiveportal']['httpslogin']))
+ header("Location: https://{$ourhostname}/?redirurl=" . urlencode("http://{$orig_host}{$orig_request}"));
+ else
+ header("Location: http://{$ourhostname}/?redirurl=" . urlencode("http://{$orig_host}{$orig_request}"));
+
+ exit;
}
if (preg_match("/redirurl=(.*)/", $orig_request, $matches))
- $redirurl = urldecode($matches[1]);
+ $redirurl = urldecode($matches[1]);
if ($_POST['redirurl'])
- $redirurl = $_POST['redirurl'];
+ $redirurl = $_POST['redirurl'];
$macfilter = !isset($config['captiveportal']['nomacfilter']);
/* find MAC address for client */
$clientmac = arp_get_mac_by_ip($clientip);
if (!$clientmac && $macfilter) {
- /* unable to find MAC address - shouldn't happen! - bail out */
- captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR");
- /* We should return an error page to the client explaining what went wrong instead of exiting */
- exit;
+ /* unable to find MAC address - shouldn't happen! - bail out */
+ captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR");
+ /* We should return an error page to the client explaining what went wrong instead of exiting */
+ exit;
}
/* find out if we need RADIUS + RADIUSMAC or not */
if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) {
- $radius_enable = TRUE;
- if ($radius_enable && isset($config['captiveportal']['radmac_enable']))
- $radmac_enable = TRUE;
+ $radius_enable = TRUE;
+ if ($radius_enable && isset($config['captiveportal']['radmac_enable']))
+ $radmac_enable = TRUE;
}
if ($_POST['logout_id']) {
- disconnect_client($_POST['logout_id']);
- echo <<<EOD
+ disconnect_client($_POST['logout_id']);
+ echo <<<EOD
<HTML>
<HEAD><TITLE>Disconnecting...</TITLE></HEAD>
<BODY BGCOLOR="#435370">
EOD;
/* The $macfilter can be removed safely since we first check if the $clientmac is present, if not we fail */
} else if ($clientmac && portal_mac_fixed($clientmac)) {
- /* punch hole in ipfw for pass thru mac addresses */
- portal_allow($clientip, $clientmac, "unauthenticated");
- exit;
+ /* punch hole in ipfw for pass thru mac addresses */
+ portal_allow($clientip, $clientmac, "unauthenticated");
+ exit;
} else if ($clientmac && $radmac_enable && portal_mac_radius($clientmac,$clientip)) {
- /* radius functions handle everything so we exit here since we're done */
- exit;
+ /* radius functions handle everything so we exit here since we're done */
+ exit;
} else if ($_POST['accept'] && $radius_enable) {
- if ($_POST['auth_user'] && $_POST['auth_pass']) {
- $auth_list = radius($_POST['auth_user'],$_POST['auth_pass'],$clientip,$clientmac,"USER LOGIN");
-
- if ($auth_list['auth_val'] == 1) {
- captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR",$auth_list['error']);
- portal_reply_page($redirurl, "error", $auth_list['error']);
- }
- else if ($auth_list['auth_val'] == 3) {
- captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE",$auth_list['reply_message']);
- portal_reply_page($redirurl, "error", $auth_list['reply_message']);
- }
- } else {
- captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR");
- portal_reply_page($redirurl, "error");
- }
-
+ if ($_POST['auth_user'] && $_POST['auth_pass']) {
+ $auth_list = radius($_POST['auth_user'],$_POST['auth_pass'],$clientip,$clientmac,"USER LOGIN");
+
+ if ($auth_list['auth_val'] == 1) {
+ captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR",$auth_list['error']);
+ portal_reply_page($redirurl, "error", $auth_list['error']);
+ }
+ else if ($auth_list['auth_val'] == 3) {
+ captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE",$auth_list['reply_message']);
+ portal_reply_page($redirurl, "error", $auth_list['reply_message']);
+ }
+ } else {
+ captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR");
+ portal_reply_page($redirurl, "error");
+ }
+
} else if ($_POST['accept'] && $config['captiveportal']['auth_method'] == "local") {
- //check against local usermanager
- $userdb = &$config['captiveportal']['user'];
-
- $loginok = false;
-
- //erase expired accounts
- if (is_array($userdb)) {
- $moddb = false;
- for ($i = 0; $i < count($userdb); $i++) {
- if ($userdb[$i]['expirationdate'] && (strtotime("-1 day") > strtotime($userdb[$i]['expirationdate']))) {
- unset($userdb[$i]);
- $moddb = true;
- }
- }
- if ($moddb)
- write_config();
-
- $userdb = &$config['captiveportal']['user'];
-
- for ($i = 0; $i < count($userdb); $i++) {
- if (($userdb[$i]['name'] == $_POST['auth_user']) && ($userdb[$i]['password'] == md5($_POST['auth_pass']))) {
- $loginok = true;
- break;
- }
- }
- }
-
- if ($loginok){
- captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");
- portal_allow($clientip, $clientmac,$_POST['auth_user']);
- } else {
- captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");
- portal_reply_page($redirurl, "error");
- }
+ //check against local usermanager
+ $userdb = &$config['captiveportal']['user'];
+
+ $loginok = false;
+
+ //erase expired accounts
+ if (is_array($userdb)) {
+ $moddb = false;
+ for ($i = 0; $i < count($userdb); $i++) {
+ if ($userdb[$i]['expirationdate'] && (strtotime("-1 day") > strtotime($userdb[$i]['expirationdate']))) {
+ unset($userdb[$i]);
+ $moddb = true;
+ }
+ }
+ if ($moddb)
+ write_config();
+
+ $userdb = &$config['captiveportal']['user'];
+
+ for ($i = 0; $i < count($userdb); $i++) {
+ if (($userdb[$i]['name'] == $_POST['auth_user']) && ($userdb[$i]['password'] == md5($_POST['auth_pass']))) {
+ $loginok = true;
+ break;
+ }
+ }
+ }
+
+ if ($loginok){
+ captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");
+ portal_allow($clientip, $clientmac,$_POST['auth_user']);
+ } else {
+ captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");
+ portal_reply_page($redirurl, "error");
+ }
} else if ($_POST['accept'] && $clientip) {
- captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
- portal_allow($clientip, $clientmac, "unauthenticated");
+ captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
+ portal_allow($clientip, $clientmac, "unauthenticated");
} else {
- /* display captive portal page */
- portal_reply_page($redirurl, "login");
+ /* display captive portal page */
+ portal_reply_page($redirurl, "login");
}
exit;
function portal_reply_page($redirurl, $type = null, $message = null) {
- global $g, $config;
+ global $g, $config;
- /* Get captive portal layout */
- if ($type == "login")
- $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal.html");
- else
- $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal-error.html");
+ /* Get captive portal layout */
+ if ($type == "login")
+ $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal.html");
+ else
+ $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal-error.html");
- /* substitute other variables */
- if (isset($config['captiveportal']['httpslogin']))
- $htmltext = str_replace("\$PORTAL_ACTION\$", "https://{$config['captiveportal']['httpsname']}:8001/", $htmltext);
- else
- $htmltext = str_replace("\$PORTAL_ACTION\$", "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/", $htmltext);
+ /* substitute other variables */
+ if (isset($config['captiveportal']['httpslogin']))
+ $htmltext = str_replace("\$PORTAL_ACTION\$", "https://{$config['captiveportal']['httpsname']}:8001/", $htmltext);
+ else
+ $htmltext = str_replace("\$PORTAL_ACTION\$", "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/", $htmltext);
- $htmltext = str_replace("\$PORTAL_REDIRURL\$", htmlspecialchars($redirurl), $htmltext);
- $htmltext = str_replace("\$PORTAL_MESSAGE\$", htmlspecialchars($message), $htmltext);
+ $htmltext = str_replace("\$PORTAL_REDIRURL\$", htmlspecialchars($redirurl), $htmltext);
+ $htmltext = str_replace("\$PORTAL_MESSAGE\$", htmlspecialchars($message), $htmltext);
- echo $htmltext;
+ echo $htmltext;
}
function portal_mac_fixed($clientmac) {
- global $g ;
-
- /* open captive portal mac db */
- if (file_exists("{$g['vardb_path']}/captiveportal_mac.db")) {
- $fd = @fopen("{$g['vardb_path']}/captiveportal_mac.db","r") ;
- if (!$fd) {
- return FALSE;
- }
- while (!feof($fd)) {
- $mac = trim(fgets($fd)) ;
- if(strcasecmp($clientmac, $mac) == 0) {
- fclose($fd) ;
- return TRUE ;
- }
- }
- fclose($fd) ;
- }
- return FALSE ;
-}
+ global $g ;
+
+ /* open captive portal mac db */
+ if (file_exists("{$g['vardb_path']}/captiveportal_mac.db")) {
+ $fd = @fopen("{$g['vardb_path']}/captiveportal_mac.db","r") ;
+ if (!$fd) {
+ return FALSE;
+ }
+ while (!feof($fd)) {
+ $mac = trim(fgets($fd)) ;
+ if(strcasecmp($clientmac, $mac) == 0) {
+ fclose($fd) ;
+ return TRUE ;
+ }
+ }
+ fclose($fd) ;
+ }
+ return FALSE ;
+}
function portal_mac_radius($clientmac,$clientip) {
- global $config ;
+ global $config ;
- $radmac_secret = $config['captiveportal']['radmac_secret'];
+ $radmac_secret = $config['captiveportal']['radmac_secret'];
- /* authentication against the radius server */
- $auth_list = radius($clientmac,$radmac_secret,$clientip,$clientmac,"MACHINE LOGIN");
- if ($auth_list['auth_val'] == 2) {
- return TRUE;
- }
- return FALSE;
+ /* authentication against the radius server */
+ $auth_list = radius($clientmac,$radmac_secret,$clientip,$clientmac,"MACHINE LOGIN");
+ if ($auth_list['auth_val'] == 2) {
+ return TRUE;
+ }
+ return FALSE;
}
function portal_allow($clientip,$clientmac,$clientuser,$password = null, $session_timeout = null, $idle_timeout = null, $url_redirection = null, $session_terminate_time = null) {
- global $redirurl, $g, $config;
-
- if ((isset($config['captiveportal']['noconcurrentlogins'])) && ($clientuser != 'unauthenticated'))
- kick_concurrent_logins($clientuser);
-
- captiveportal_lock();
-
- $ruleno = get_next_ipfw_ruleno();
-
- /* generate unique session ID */
- $tod = gettimeofday();
- $sessionid = substr(md5(mt_rand() . $tod['sec'] . $tod['usec'] . $clientip . $clientmac), 0, 16);
-
- /* add ipfw rules for layer 3 */
- exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any in");
- exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip out");
-
- /* add ipfw rules for layer 2 */
- if (!isset($config['captiveportal']['nomacfilter'])) {
- $l2ruleno = $ruleno + 10000;
- exec("/sbin/ipfw add $l2ruleno set 3 deny all from $clientip to any not MAC any $clientmac layer2 in");
- exec("/sbin/ipfw add $l2ruleno set 3 deny all from any to $clientip not MAC $clientmac any layer2 out");
- }
-
- /* read in client database */
- $cpdb = captiveportal_read_db();
-
- $radiusservers = captiveportal_get_radius_servers();
-
- /* find an existing entry and delete it */
- for ($i = 0; $i < count($cpdb); $i++) {
- if(!strcasecmp($cpdb[$i][2],$clientip)) {
- if(isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
- RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno
- $cpdb[$i][4], // username
- $cpdb[$i][5], // sessionid
- $cpdb[$i][0], // start time
- $radiusservers[0]['ipaddr'],
- $radiusservers[0]['acctport'],
- $radiusservers[0]['key'],
- $cpdb[$i][2], // clientip
- $cpdb[$i][3], // clientmac
- 13); // Port Preempted
- }
- mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000));
- unset($cpdb[$i]);
- break;
- }
- }
-
- /* encode password in Base64 just in case it contains commas */
- $bpassword = base64_encode($password);
- $cpdb[] = array(time(), $ruleno, $clientip, $clientmac, $clientuser, $sessionid, $bpassword, $session_timeout, $idle_timeout, $session_terminate_time);
-
- /* rewrite information to database */
- captiveportal_write_db($cpdb);
-
- /* write next rule number */
- $fd = @fopen("{$g['vardb_path']}/captiveportal.nextrule", "w");
- if ($fd) {
- $ruleno++;
- if ($ruleno > 19899)
- $ruleno = 10000; /* wrap around */
- fwrite($fd, $ruleno);
- fclose($fd);
- }
-
- captiveportal_unlock();
-
- /* redirect user to desired destination */
- if ($url_redirection)
- $my_redirurl = $url_redirection;
- else if ($config['captiveportal']['redirurl'])
- $my_redirurl = $config['captiveportal']['redirurl'];
- else
- $my_redirurl = $redirurl;
-
- if(isset($config['captiveportal']['logoutwin_enable'])) {
-
- if (isset($config['captiveportal']['httpslogin']))
- $logouturl = "https://{$config['captiveportal']['httpsname']}:8001/";
- else
- $logouturl = "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/";
-
- echo <<<EOD
+ global $redirurl, $g, $config;
+
+ if ((isset($config['captiveportal']['noconcurrentlogins'])) && ($clientuser != 'unauthenticated'))
+ kick_concurrent_logins($clientuser);
+
+ captiveportal_lock();
+
+ $ruleno = get_next_ipfw_ruleno();
+
+ /* generate unique session ID */
+ $tod = gettimeofday();
+ $sessionid = substr(md5(mt_rand() . $tod['sec'] . $tod['usec'] . $clientip . $clientmac), 0, 16);
+
+ /* add ipfw rules for layer 3 */
+ exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any in");
+ exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip out");
+
+ /* add ipfw rules for layer 2 */
+ if (!isset($config['captiveportal']['nomacfilter'])) {
+ $l2ruleno = $ruleno + 10000;
+ exec("/sbin/ipfw add $l2ruleno set 3 deny all from $clientip to any not MAC any $clientmac layer2 in");
+ exec("/sbin/ipfw add $l2ruleno set 3 deny all from any to $clientip not MAC $clientmac any layer2 out");
+ }
+
+ /* read in client database */
+ $cpdb = captiveportal_read_db();
+
+ $radiusservers = captiveportal_get_radius_servers();
+
+ /* find an existing entry and delete it */
+ for ($i = 0; $i < count($cpdb); $i++) {
+ if(!strcasecmp($cpdb[$i][2],$clientip)) {
+ if(isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
+ RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno
+ $cpdb[$i][4], // username
+ $cpdb[$i][5], // sessionid
+ $cpdb[$i][0], // start time
+ $radiusservers[0]['ipaddr'],
+ $radiusservers[0]['acctport'],
+ $radiusservers[0]['key'],
+ $cpdb[$i][2], // clientip
+ $cpdb[$i][3], // clientmac
+ 13); // Port Preempted
+ }
+ mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000));
+ unset($cpdb[$i]);
+ break;
+ }
+ }
+
+ /* encode password in Base64 just in case it contains commas */
+ $bpassword = base64_encode($password);
+ $cpdb[] = array(time(), $ruleno, $clientip, $clientmac, $clientuser, $sessionid, $bpassword, $session_timeout, $idle_timeout, $session_terminate_time);
+
+ /* rewrite information to database */
+ captiveportal_write_db($cpdb);
+
+ /* write next rule number */
+ $fd = @fopen("{$g['vardb_path']}/captiveportal.nextrule", "w");
+ if ($fd) {
+ $ruleno++;
+ if ($ruleno > 19899)
+ $ruleno = 10000; /* wrap around */
+ fwrite($fd, $ruleno);
+ fclose($fd);
+ }
+
+ captiveportal_unlock();
+
+ /* redirect user to desired destination */
+ if ($url_redirection)
+ $my_redirurl = $url_redirection;
+ else if ($config['captiveportal']['redirurl'])
+ $my_redirurl = $config['captiveportal']['redirurl'];
+ else
+ $my_redirurl = $redirurl;
+
+ if(isset($config['captiveportal']['logoutwin_enable'])) {
+
+ if (isset($config['captiveportal']['httpslogin']))
+ $logouturl = "https://{$config['captiveportal']['httpsname']}:8001/";
+ else
+ $logouturl = "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/";
+
+ echo <<<EOD
<HTML>
<HEAD><TITLE>Redirecting...</TITLE></HEAD>
<BODY>
<!--
LogoutWin = window.open('', 'Logout', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=256,height=64');
if (LogoutWin) {
- LogoutWin.document.write('<HTML>');
- LogoutWin.document.write('<HEAD><TITLE>Logout</TITLE></HEAD>') ;
- LogoutWin.document.write('<BODY BGCOLOR="#435370">');
-
LogoutWin.document.write('<DIV ALIGN="center" STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">') ;
-
LogoutWin.document.write('<B>Click the button below to disconnect</B><P>');
- LogoutWin.document.write('<FORM METHOD="POST" ACTION="{$logouturl}">');
- LogoutWin.document.write('<INPUT NAME="logout_id" TYPE="hidden" VALUE="{$sessionid}">');
- LogoutWin.document.write('<INPUT NAME="logout" TYPE="submit" VALUE="Logout">');
- LogoutWin.document.write('</FORM>');
- LogoutWin.document.write('</DIV></BODY>');
- LogoutWin.document.write('</HTML>');
- LogoutWin.document.close();
+ LogoutWin.document.write('<HTML>');
+ LogoutWin.document.write('<HEAD><TITLE>Logout</TITLE></HEAD>') ;
+ LogoutWin.document.write('<BODY BGCOLOR="#435370">');
+ LogoutWin.document.write('<DIV ALIGN="center" STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">') ;
+ LogoutWin.document.write('<B>Click the button below to disconnect</B><P>');
+ LogoutWin.document.write('<FORM METHOD="POST" ACTION="{$logouturl}">');
+ LogoutWin.document.write('<INPUT NAME="logout_id" TYPE="hidden" VALUE="{$sessionid}">');
+ LogoutWin.document.write('<INPUT NAME="logout" TYPE="submit" VALUE="Logout">');
+ LogoutWin.document.write('</FORM>');
+ LogoutWin.document.write('</DIV></BODY>');
+ LogoutWin.document.write('</HTML>');
+ LogoutWin.document.close();
}
document.location.href="{$my_redirurl}";
</HTML>
EOD;
- } else {
- header("Location: " . $my_redirurl);
- }
-
- return $sessionid;
+ } else {
+ header("Location: " . $my_redirurl);
+ }
+
+ return $sessionid;
}
/* Ensure that only one username is used by one client at a time
*/
function kick_concurrent_logins($user) {
- captiveportal_lock();
+ captiveportal_lock();
- /* read database */
- $cpdb = captiveportal_read_db();
+ /* read database */
+ $cpdb = captiveportal_read_db();
- captiveportal_unlock();
+ captiveportal_unlock();
- if (isset($cpdb)) {
- /* find duplicate entry */
- for ($i = 0; $i < count($cpdb); $i++) {
- if ($cpdb[$i][4] == $user) {
- /* This user was already logged in */
- disconnect_client($cpdb[$i][5],"CONCURRENT LOGIN - TERMINATING OLD SESSION",13);
- }
- }
- }
+ if (isset($cpdb)) {
+ /* find duplicate entry */
+ for ($i = 0; $i < count($cpdb); $i++) {
+ if ($cpdb[$i][4] == $user) {
+ /* This user was already logged in */
+ disconnect_client($cpdb[$i][5],"CONCURRENT LOGIN - TERMINATING OLD SESSION",13);
+ }
+ }
+ }
}
/* remove a single client by session ID
by Dinesh Nair
*/
function disconnect_client($sessionid, $logoutReason = "LOGOUT", $term_cause = 1) {
-
- global $g, $config;
-
- captiveportal_lock();
-
- /* read database */
- $cpdb = captiveportal_read_db();
-
- $radiusservers = captiveportal_get_radius_servers();
-
- /* find entry */
- for ($i = 0; $i < count($cpdb); $i++) {
- if ($cpdb[$i][5] == $sessionid) {
- /* this client needs to be deleted - remove ipfw rules */
- if(isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
- RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno
- $cpdb[$i][4], // username
- $cpdb[$i][5], // sessionid
- $cpdb[$i][0], // start time
- $radiusservers[0]['ipaddr'],
- $radiusservers[0]['acctport'],
- $radiusservers[0]['key'],
- $cpdb[$i][2], // clientip
- $cpdb[$i][3], // clientmac
- $term_cause);
- }
- mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000));
- captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],$logoutReason);
- unset($cpdb[$i]);
- break;
- }
- }
-
- /* rewrite information to database */
- captiveportal_write_db($cpdb);
-
- captiveportal_unlock();
+
+ global $g, $config;
+
+ captiveportal_lock();
+
+ /* read database */
+ $cpdb = captiveportal_read_db();
+
+ $radiusservers = captiveportal_get_radius_servers();
+
+ /* find entry */
+ for ($i = 0; $i < count($cpdb); $i++) {
+ if ($cpdb[$i][5] == $sessionid) {
+ /* this client needs to be deleted - remove ipfw rules */
+ if(isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
+ RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno
+ $cpdb[$i][4], // username
+ $cpdb[$i][5], // sessionid
+ $cpdb[$i][0], // start time
+ $radiusservers[0]['ipaddr'],
+ $radiusservers[0]['acctport'],
+ $radiusservers[0]['key'],
+ $cpdb[$i][2], // clientip
+ $cpdb[$i][3], // clientmac
+ $term_cause);
+ }
+ mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000));
+ captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],$logoutReason);
+ unset($cpdb[$i]);
+ break;
+ }
+ }
+
+ /* rewrite information to database */
+ captiveportal_write_db($cpdb);
+
+ captiveportal_unlock();
}
function get_next_ipfw_ruleno() {
- global $g;
+ global $g;
- /* get next ipfw rule number */
- if (file_exists("{$g['vardb_path']}/captiveportal.nextrule"))
- $ruleno = trim(file_get_contents("{$g['vardb_path']}/captiveportal.nextrule"));
- if (!$ruleno)
- $ruleno = 10000; /* first rule number */
+ /* get next ipfw rule number */
+ if (file_exists("{$g['vardb_path']}/captiveportal.nextrule"))
+ $ruleno = trim(file_get_contents("{$g['vardb_path']}/captiveportal.nextrule"));
+ if (!$ruleno)
+ $ruleno = 10000; /* first rule number */
- return $ruleno;
+ return $ruleno;
}
?>
<?php
/*
- $Id$
- part of m0n0wall (http://m0n0.ch/wall)
-
- Copyright (C) 2004 Dinesh Nair <dinesh@alphaque.com>
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- // This version of radius_accounting.inc has been modified by
- // Rob Parker <rob.parker@keycom.co.uk>. Changes made include:
- // * now sends Framed-IP-Address (client IP)
- // * now sends Called-Station-ID (NAS IP)
- // * now sends Calling-Station-ID (client IP)
-
- // This version of radius_accounting.inc has been modified by
- // Jonathan De Graeve <jonathan@imelda.be>. Changes made include:
- // - RFC2869 (Radius Extensions)
- // * now sends Acct-Input-Gigawords
- // * now sends Acct-Output-Gigawords
- // * full implementation of nas-ip/nas_mac and called/calling-station ids
+ $Id$
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2004 Dinesh Nair <dinesh@alphaque.com>
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ // This version of radius_accounting.inc has been modified by
+ // Rob Parker <rob.parker@keycom.co.uk>. Changes made include:
+ // * now sends Framed-IP-Address (client IP)
+ // * now sends Called-Station-ID (NAS IP)
+ // * now sends Calling-Station-ID (client IP)
+
+ // This version of radius_accounting.inc has been modified by
+ // Jonathan De Graeve <jonathan@imelda.be>. Changes made include:
+ // - RFC2869 (Radius Extensions)
+ // * now sends Acct-Input-Gigawords
+ // * now sends Acct-Output-Gigawords
+ // * full implementation of nas-ip/nas_mac and called/calling-station ids
*/
function RADIUS_ACCOUNTING_START($ruleno,$username,$sessionid,$radiusip,$radiusport,$radiuskey,$clientip,$clientmac) {
- # $debug = 1 ;
- global $config;
+ # $debug = 1 ;
+ global $config;
- exec("/bin/hostname", $nasHostname) ;
- if(!$nasHostname[0])
- $nasHostname[0] = "m0n0wall" ;
+ exec("/bin/hostname", $nasHostname) ;
+ if(!$nasHostname[0])
+ $nasHostname[0] = "m0n0wall" ;
- $fd = @fsockopen("udp://$radiusip",$radiusport,$errno,$errstr,3) ;
- if(!$fd)
- return 1 ; /* error return */
-
- /* set 5 second timeout on socket i/o */
- stream_set_timeout($fd, 5) ;
+ $fd = @fsockopen("udp://$radiusip",$radiusport,$errno,$errstr,3) ;
+ if(!$fd)
+ return 1 ; /* error return */
+
+ /* set 5 second timeout on socket i/o */
+ stream_set_timeout($fd, 5) ;
- $nas_mac = get_interface_mac($config['interfaces']['wan']['if']); // This function is defined in radius_authentication.inc
- $nas_port = $ruleno - 10000;
- $ip_exp=explode(".",$clientip);
- $radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
+ $nas_mac = get_interface_mac($config['interfaces']['wan']['if']); // This function is defined in radius_authentication.inc
+ $nas_port = $ruleno - 10000;
+ $ip_exp=explode(".",$clientip);
+ $radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
- switch($radiusvendor) {
+ switch($radiusvendor) {
case 'cisco':
$calledstationid = $clientmac;
break;
default:
- $calledstationid = $nas_mac;
+ $calledstationid = $nas_mac;
$callingstationid = $clientmac;
- }
-
- if ($debug)
- echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n";
-
- /* Initialise rand function, make it more random */
- srand((double)microtime() * 1000000);
-
- $thisidentifier=rand()%256;
-
- $length=4+ // header
- 16+ // auth code
- 6+ // service type
- 2+strlen($username)+ // username
- 2+strlen($nasHostname[0])+ // nasIdentifier
- 6+ // nasPort
- 6+ // nasPortType
- 6+ // Acct Status Type
- 6+ // Acct RADIUS Authenticated
- 2+strlen($sessionid)+ // Acct SessionID
+ }
+
+ if ($debug)
+ echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n";
+
+ /* Initialise rand function, make it more random */
+ srand((double)microtime() * 1000000);
+
+ $thisidentifier=rand()%256;
+
+ $length=4+ // header
+ 16+ // auth code
+ 6+ // service type
+ 2+strlen($username)+ // username
+ 2+strlen($nasHostname[0])+ // nasIdentifier
+ 6+ // nasPort
+ 6+ // nasPortType
+ 6+ // Acct Status Type
+ 6+ // Acct RADIUS Authenticated
+ 2+strlen($sessionid)+ // Acct SessionID
2+strlen($calledstationid)+ //Called-Station-ID
2+strlen($callingstationid)+ //Calling-Station-ID
- 6; // Framed-IP-Address
-
- // v v v v v v v v v 1 v
- // Line # 1 2 3 4 5 6 7 8 9 0 E
- $data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCa*CCa*CCCCCC",
- 4,$thisidentifier,$length/256,$length%256, // header
- 0,0,0,0, // authcode
- 6,6,0,0,0,1, // service type
- 1,2+strlen($username),$username, // username
- 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier
- 5,6,0,0,0,$nas_port, // nasPort
- 61,6,0,0,0,15, // nasPortType = Ethernet
- 40,6,0,0,0,1, // Acct Status Type = Start
- 45,6,0,0,0,1, // Acct RADIUS Authenticated
- 44,2+strlen($sessionid),$sessionid, // Acct Session ID
+ 6; // Framed-IP-Address
+
+ // v v v v v v v v v 1 v
+ // Line # 1 2 3 4 5 6 7 8 9 0 E
+ $data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCa*CCa*CCCCCC",
+ 4,$thisidentifier,$length/256,$length%256, // header
+ 0,0,0,0, // authcode
+ 6,6,0,0,0,1, // service type
+ 1,2+strlen($username),$username, // username
+ 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier
+ 5,6,0,0,0,$nas_port, // nasPort
+ 61,6,0,0,0,15, // nasPortType = Ethernet
+ 40,6,0,0,0,1, // Acct Status Type = Start
+ 45,6,0,0,0,1, // Acct RADIUS Authenticated
+ 44,2+strlen($sessionid),$sessionid, // Acct Session ID
30,2+strlen($calledstationid),$calledstationid, //Called-Station-ID
31,2+strlen($callingstationid),$callingstationid, //Calling-Station-ID
- 8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3] //Framed-IP-Address
- );
-
- /* Generate Accounting Request Authenticator */
- $RA = md5($data.$radiuskey) ;
-
- // v v v v v v v v v 1 v
- // Line # 1 2 3 4 5 6 7 8 9 0 E
- $data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCa*CCa*CCCCCC",
- 4,$thisidentifier,$length/256,$length%256, // header
- $RA, // authcode
- 6,6,0,0,0,1, // service type
- 1,2+strlen($username),$username, // username
- 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier
- 5,6,0,0,0,$nas_port, // nasPort
- 61,6,0,0,0,15, // nasPortType = Ethernet
- 40,6,0,0,0,1, // Acct Status Type = Start
- 45,6,0,0,0,1, // Acct RADIUS Authenticated
- 44,2+strlen($sessionid),$sessionid, // Acct Session ID
+ 8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3] //Framed-IP-Address
+ );
+
+ /* Generate Accounting Request Authenticator */
+ $RA = md5($data.$radiuskey) ;
+
+ // v v v v v v v v v 1 v
+ // Line # 1 2 3 4 5 6 7 8 9 0 E
+ $data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCa*CCa*CCCCCC",
+ 4,$thisidentifier,$length/256,$length%256, // header
+ $RA, // authcode
+ 6,6,0,0,0,1, // service type
+ 1,2+strlen($username),$username, // username
+ 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier
+ 5,6,0,0,0,$nas_port, // nasPort
+ 61,6,0,0,0,15, // nasPortType = Ethernet
+ 40,6,0,0,0,1, // Acct Status Type = Start
+ 45,6,0,0,0,1, // Acct RADIUS Authenticated
+ 44,2+strlen($sessionid),$sessionid, // Acct Session ID
30,2+strlen($calledstationid),$calledstationid, //Called-Station-ID
31,2+strlen($callingstationid),$callingstationid, //Calling-Station-ID
- 8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3] //Framed-IP-Address
- );
+ 8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3] //Framed-IP-Address
+ );
- if($debug) {
- echo "username is $username with len " . strlen($username) ."\n" ;
- echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ;
- }
+ if($debug) {
+ echo "username is $username with len " . strlen($username) ."\n" ;
+ echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ;
+ }
- $ret = fwrite($fd,$data) ;
- if( !$ret || ($ret != $length) )
- return 1; /* error return */
+ $ret = fwrite($fd,$data) ;
+ if( !$ret || ($ret != $length) )
+ return 1; /* error return */
- if ($debug)
- echo "<br>writing $length bytes<hr>\n";
+ if ($debug)
+ echo "<br>writing $length bytes<hr>\n";
- $readdata = fgets($fd,2) ; /* read 1 byte */
- $status = socket_get_status($fd) ;
- fclose($fd) ;
+ $readdata = fgets($fd,2) ; /* read 1 byte */
+ $status = socket_get_status($fd) ;
+ fclose($fd) ;
- if($status['timed_out'])
- $retvalue = 1 ;
- else
- $retvalue = ord($readdata) ;
+ if($status['timed_out'])
+ $retvalue = 1 ;
+ else
+ $retvalue = ord($readdata) ;
- return $retvalue ;
- // 5 -> Accounting-Response
- // See RFC2866 for this.
+ return $retvalue ;
+ // 5 -> Accounting-Response
+ // See RFC2866 for this.
}
function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey,$clientip,$clientmac, $term_cause = 1, $interimupdate=false,$stop_time = null) {
- # $debug = 1 ;
- global $config;
-
- $stop_time = (empty($stop_time)) ? time() : $stop_time;
-
- exec("/bin/hostname", $nasHostname) ;
- if(!$nasHostname[0])
- $nasHostname[0] = "quewall" ;
-
- $input_pkts = $input_bytes = $input_gigawords = $output_pkts = $output_bytes = $output_gigawords = 0 ;
-
- exec("/sbin/ipfw show {$ruleno}", $ipfw) ;
- preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[0], $matches) ;
- $input_pkts = $matches[2] ;
- $input_bytes = remainder($matches[3]) ;
- $input_gigawords = gigawords($matches[3]) ;
-
- unset($matches) ;
- preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[1], $matches) ;
- $output_pkts = $matches[2] ;
- $output_bytes = remainder($matches[3]) ;
- $output_gigawords = gigawords($matches[3]) ;
-
- $fd = @fsockopen("udp://$radiusip",$radiusport,$errno,$errstr,3) ;
- if(!$fd)
- return 1 ; /* error return */
-
- /* set 5 second timeout on socket i/o */
- stream_set_timeout($fd, 5) ;
-
- $nas_port = $ruleno - 10000;
- $nas_mac = get_interface_mac($config['interfaces']['wan']['if']);
- $ip_exp=explode(".",$clientip);
- $session_time = $stop_time - $start_time;
- $radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
+ # $debug = 1 ;
+ global $config;
+
+ $stop_time = (empty($stop_time)) ? time() : $stop_time;
+
+ exec("/bin/hostname", $nasHostname) ;
+ if(!$nasHostname[0])
+ $nasHostname[0] = "quewall" ;
+
+ $input_pkts = $input_bytes = $input_gigawords = $output_pkts = $output_bytes = $output_gigawords = 0 ;
+
+ exec("/sbin/ipfw show {$ruleno}", $ipfw) ;
+ preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[0], $matches) ;
+ $input_pkts = $matches[2] ;
+ $input_bytes = remainder($matches[3]) ;
+ $input_gigawords = gigawords($matches[3]) ;
+
+ unset($matches) ;
+ preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[1], $matches) ;
+ $output_pkts = $matches[2] ;
+ $output_bytes = remainder($matches[3]) ;
+ $output_gigawords = gigawords($matches[3]) ;
+
+ $fd = @fsockopen("udp://$radiusip",$radiusport,$errno,$errstr,3) ;
+ if(!$fd)
+ return 1 ; /* error return */
+
+ /* set 5 second timeout on socket i/o */
+ stream_set_timeout($fd, 5) ;
+
+ $nas_port = $ruleno - 10000;
+ $nas_mac = get_interface_mac($config['interfaces']['wan']['if']);
+ $ip_exp=explode(".",$clientip);
+ $session_time = $stop_time - $start_time;
+ $radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
switch($radiusvendor) {
default:
$calledstationid = $nas_mac;
$callingstationid = $clientmac;
- }
-
- if ($debug)
- echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n";
-
- /* Initialise rand function, make it more random */
- srand((double)microtime() * 1000000);
-
- $thisidentifier=rand()%256;
-
- $length=4+ // header
- 16+ // auth code
- 6+ // service type
- 2+strlen($username)+ // username
- 2+strlen($nasHostname[0])+ // nasIdentifier
- 6+ // nasPort
- 6+ // nasPortType
- 6+ // Acct Status Type
- 6+ // Acct RADIUS Authenticated
- 2+strlen($sessionid)+ // Acct SessionID
- 6+ // Acct terminate
- 6+ // Session time
- 6+ // input bytes
- 6+ // input packets
- 6+ // input gigawords
- 6+ // output bytes
- 6+ // output packets
- 6+ // output gigawords
- 2+strlen($calledstationid)+ //Called-Station-ID
- 2+strlen($callingstationid)+ //Calling-Station-ID
- 6; //Framed-IP-Address
-
- if ($interimupdate)
- $acctstatustype = 3;
- else
- $acctstatustype = 2;
-
- // v v v v v v v v v 1 1 1 1 1 1 1 1 1 v
- // Line # 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 E
- $data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCNCCNCCNCCNCCNCCNCCNCCNCCa*CCa*CCCCCC",
- 4,$thisidentifier,$length/256,$length%256, // header
- 0,0,0,0, // authcode
- 6,6,0,0,0,1, // service type
- 1,2+strlen($username),$username, // username
- 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier
- 5,6,0,0,0,$nas_port, // nasPort
- 61,6,0,0,0,15, // nasPortType = Ethernet
- 40,6,0,0,0,$acctstatustype, // Acct Status Type
- 45,6,0,0,0,1, // Acct RADIUS Authenticated
- 44,2+strlen($sessionid),$sessionid, // Acct Session ID
- 49,6,$term_cause, // Acct Terminate
- 46,6,$session_time, // Session Time
- 42,6,$input_bytes, // Input Octets
- 47,6,$input_pkts, // Input Packets
- 52,6,$input_gigawords, // Input Gigawords
- 43,6,$output_bytes, // Output Octets
- 48,6,$output_pkts, // Output Packets
- 53,6,$output_gigawords, // Output Gigawords
- 30,2+strlen($calledstationid),$calledstationid, //Called-Station-ID
- 31,2+strlen($callingstationid),$callingstationid, //Calling-Station-ID
- 8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3] //Framed-IP-Address
- );
-
- /* Generate Accounting Request Authenticator */
- $RA = md5($data.$radiuskey) ;
-
- // v v v v v v v v v 1 1 1 1 1 1 1 1 1 v
- // Line # 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 E
- $data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCNCCNCCNCCNCCNCCNCCNCCNCCa*CCa*CCCCCC",
- 4,$thisidentifier,$length/256,$length%256, // header
- $RA, // authcode
- 6,6,0,0,0,1, // service type
- 1,2+strlen($username),$username, // username
- 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier
- 5,6,0,0,0,$nas_port, // nasPort
- 61,6,0,0,0,15, // nasPortType = Ethernet
- 40,6,0,0,0,$acctstatustype, // Acct Status Type
- 45,6,0,0,0,1, // Acct RADIUS Authenticated
- 44,2+strlen($sessionid),$sessionid, // Acct Session ID
- 49,6,$term_cause, // Acct Terminate
- 46,6,$session_time, // Session Time
- 42,6,$input_bytes, // Input Octets
- 47,6,$input_pkts, // Input Packets
- 52,6,$input_gigawords, // Input Gigawords
- 43,6,$output_bytes, // Output Octets
- 48,6,$output_pkts, // Output Packets
- 53,6,$output_gigawords, // Output Gigawords
- 30,2+strlen($calledstationid),$calledstationid, //Called-Station-ID
- 31,2+strlen($callingstationid),$callingstationid, //Calling-Station-ID
- 8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3] //Framed-IP-Address
- );
-
- if($debug) {
- echo "username is $username with len " . strlen($username) ."\n" ;
- echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ;
- }
-
- $ret = fwrite($fd,$data) ;
- if( !$ret || ($ret != $length) )
- return 1; /* error return */
-
- if ($debug)
- echo "<br>writing $length bytes<hr>\n";
-
- $readdata = fgets($fd,2) ; /* read 1 byte */
- $status = socket_get_status($fd) ;
- fclose($fd) ;
-
- if($status['timed_out'])
- $retvalue = 1 ;
- else
- $retvalue = ord($readdata) ;
-
- return $retvalue ;
- // 5 -> Accounting-Response
- // See RFC2866 for this.
+ }
+
+ if ($debug)
+ echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n";
+
+ /* Initialise rand function, make it more random */
+ srand((double)microtime() * 1000000);
+
+ $thisidentifier=rand()%256;
+
+ $length=4+ // header
+ 16+ // auth code
+ 6+ // service type
+ 2+strlen($username)+ // username
+ 2+strlen($nasHostname[0])+ // nasIdentifier
+ 6+ // nasPort
+ 6+ // nasPortType
+ 6+ // Acct Status Type
+ 6+ // Acct RADIUS Authenticated
+ 2+strlen($sessionid)+ // Acct SessionID
+ 6+ // Acct terminate
+ 6+ // Session time
+ 6+ // input bytes
+ 6+ // input packets
+ 6+ // input gigawords
+ 6+ // output bytes
+ 6+ // output packets
+ 6+ // output gigawords
+ 2+strlen($calledstationid)+ //Called-Station-ID
+ 2+strlen($callingstationid)+ //Calling-Station-ID
+ 6; //Framed-IP-Address
+
+ if ($interimupdate)
+ $acctstatustype = 3;
+ else
+ $acctstatustype = 2;
+
+ // v v v v v v v v v 1 1 1 1 1 1 1 1 1 v
+ // Line # 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 E
+ $data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCNCCNCCNCCNCCNCCNCCNCCNCCa*CCa*CCCCCC",
+ 4,$thisidentifier,$length/256,$length%256, // header
+ 0,0,0,0, // authcode
+ 6,6,0,0,0,1, // service type
+ 1,2+strlen($username),$username, // username
+ 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier
+ 5,6,0,0,0,$nas_port, // nasPort
+ 61,6,0,0,0,15, // nasPortType = Ethernet
+ 40,6,0,0,0,$acctstatustype, // Acct Status Type
+ 45,6,0,0,0,1, // Acct RADIUS Authenticated
+ 44,2+strlen($sessionid),$sessionid, // Acct Session ID
+ 49,6,$term_cause, // Acct Terminate
+ 46,6,$session_time, // Session Time
+ 42,6,$input_bytes, // Input Octets
+ 47,6,$input_pkts, // Input Packets
+ 52,6,$input_gigawords, // Input Gigawords
+ 43,6,$output_bytes, // Output Octets
+ 48,6,$output_pkts, // Output Packets
+ 53,6,$output_gigawords, // Output Gigawords
+ 30,2+strlen($calledstationid),$calledstationid, //Called-Station-ID
+ 31,2+strlen($callingstationid),$callingstationid, //Calling-Station-ID
+ 8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3] //Framed-IP-Address
+ );
+
+ /* Generate Accounting Request Authenticator */
+ $RA = md5($data.$radiuskey) ;
+
+ // v v v v v v v v v 1 1 1 1 1 1 1 1 1 v
+ // Line # 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 E
+ $data=pack("CCCCH*CCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCNCCNCCNCCNCCNCCNCCNCCNCCa*CCa*CCCCCC",
+ 4,$thisidentifier,$length/256,$length%256, // header
+ $RA, // authcode
+ 6,6,0,0,0,1, // service type
+ 1,2+strlen($username),$username, // username
+ 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier
+ 5,6,0,0,0,$nas_port, // nasPort
+ 61,6,0,0,0,15, // nasPortType = Ethernet
+ 40,6,0,0,0,$acctstatustype, // Acct Status Type
+ 45,6,0,0,0,1, // Acct RADIUS Authenticated
+ 44,2+strlen($sessionid),$sessionid, // Acct Session ID
+ 49,6,$term_cause, // Acct Terminate
+ 46,6,$session_time, // Session Time
+ 42,6,$input_bytes, // Input Octets
+ 47,6,$input_pkts, // Input Packets
+ 52,6,$input_gigawords, // Input Gigawords
+ 43,6,$output_bytes, // Output Octets
+ 48,6,$output_pkts, // Output Packets
+ 53,6,$output_gigawords, // Output Gigawords
+ 30,2+strlen($calledstationid),$calledstationid, //Called-Station-ID
+ 31,2+strlen($callingstationid),$callingstationid, //Calling-Station-ID
+ 8,6,$ip_exp[0],$ip_exp[1],$ip_exp[2],$ip_exp[3] //Framed-IP-Address
+ );
+
+ if($debug) {
+ echo "username is $username with len " . strlen($username) ."\n" ;
+ echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ;
+ }
+
+ $ret = fwrite($fd,$data) ;
+ if( !$ret || ($ret != $length) )
+ return 1; /* error return */
+
+ if ($debug)
+ echo "<br>writing $length bytes<hr>\n";
+
+ $readdata = fgets($fd,2) ; /* read 1 byte */
+ $status = socket_get_status($fd) ;
+ fclose($fd) ;
+
+ if($status['timed_out'])
+ $retvalue = 1 ;
+ else
+ $retvalue = ord($readdata) ;
+
+ return $retvalue ;
+ // 5 -> Accounting-Response
+ // See RFC2866 for this.
}
function gigawords($bytes) {
- /* We use BCMath functions since normal integers don't work with so large numbers */
- $gigawords = bcdiv( bcsub( $bytes, remainder($bytes) ) , 2147483647) ;
+ /* We use BCMath functions since normal integers don't work with so large numbers */
+ $gigawords = bcdiv( bcsub( $bytes, remainder($bytes) ) , 2147483647) ;
- return $gigawords;
+ return $gigawords;
}
function remainder($bytes) {
- /* Calculate the bytes we are going to send to the radius. */
- $bytes = bcmod($bytes, 2147483647);
+ /* Calculate the bytes we are going to send to the radius. */
+ $bytes = bcmod($bytes, 2147483647);
- return $bytes;
+ return $bytes;
}
* Sending of Called-Station-ID (NAS IP)
* Sending of Calling-Station-ID (client IP)
* RADIUS Extensions (RFC2869) => Acct-(Input|Output)-Gigawords
- * TODO implementation of different Acct-Terminate-Cause (Disconnect reason) (should be changed in index.php)
*/
-/*
+/*
RADIUS ACCOUNTING START
-----------------------
*/
-function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$radiuskey,$clientip) {
- global $debug;
+function RADIUS_ACCOUNTING_START($ruleno,$username,$sessionid,$radiusip,$radiusport,$radiuskey,$clientip,$clientmac) {
+
+ global $config;
+
+ $nas_mac = get_interface_mac($config['interfaces']['wan']['if']); // This function is defined in radius_authentication.inc
+ $nas_port = $ruleno - 10000;
+ $ip_exp=explode(".",$clientip);
+ $radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
+
+ switch($radiusvendor) {
+ case 'cisco':
+ $calledstationid = $clientmac;
+ $callingstationid = $clientip;
+ break;
+
+ default:
+ $calledstationid = $nas_mac;
+ $callingstationid = $clientmac;
+ }
+
+ if ($debug)
+ echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n";
+
+// Create our instance
$racct = new Auth_RADIUS_Acct_Start;
-$racct->addServer($radiusip, $radiusport, $radiuskey);
+
/* Different Authentication options
+ *
+ * Its possible todo other authentication methods but still do radius accounting
+
RADIUS_AUTH_RADIUS => authenticated via Radius
RADIUS_AUTH_LOCAL => authenicated local
RADIUS_AUTH_REMOTE => authenticated remote
-*/
+
+ */
$racct->authentic = RADIUS_AUTH_RADIUS;
+
+// Construct data package
+$racct->addServer($radiusip, $radiusport, $radiuskey);
$racct->username = $username;
-$status = $racct->start();
-if(PEAR::isError($status)) {
+
+if (PEAR::isError($racct->start())) {
+ $retvalue['acct_val'] = 1;
+ $retvalue['error'] = $rauth->getMessage();
if ($debug)
- printf("Radius start: %s<br>\n", $status->getMessage());
- exit;
+ printf("Radius start: %s<br>\n", $retvalue['error']);
+
+ /* Old code:
+ $status = $racct->start();
+ if(PEAR::isError($status)) {
+ if ($debug)
+ printf("Radius start: %s<br>\n", $status->getMessage());
+ exit;
+ }
+ */
}
/*
$racct->putAttribute(RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET);
$racct->putAttribute(RADIUS_ACCT_SESSION_ID, $sessionid);
$racct->putAttribute(RADIUS_FRAMED_IP_ADDRESS, $clientip);
-$result = $racct->send();
-if (PEAR::isError($result)) {
- $retvalue = 1;
-if ($debug)
- printf("Radius send failed: %s<br>\n", $result->getMessage());
-} else if ($result === true) {
- $retvalue = 5 ;
- if ($debug)
- printf("Radius Accounting succeeded<br>\n") ;
-} else {
- $retvalue = 1 ;
- if ($debug)
- printf("Radius Accounting rejected<br>\n") ;
-}
-
-$racct->close();
-
-return $retvalue ;
+ // Send request
+
+ $result = $racct->send();
+ if (PEAR::isError($result)) {
+ $retvalue['acct_val'] = 1;
+ $retvalue['error'] = $result->getMessage();
+ if ($debug)
+ printf("Radius send failed: %s<br>\n", $retvalue['error']);
+ } else if ($result === true) {
+ $retvalue['acct_val'] = 5 ;
+ if ($debug)
+ printf("Radius Accounting succeeded<br>\n");
+ } else {
+ $retvalue['acct_val'] = 1 ;
+ if ($debug)
+ printf("Radius Accounting rejected<br>\n");
+ }
+
+ // close OO RADIUS_ACCOUNTING
+ $racct->close();
+
+ return $retvalue ;
+ // 5 -> Accounting-Response
+ // See RFC2866 for this.
}
-----------------------------
*/
-p
-function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey,$clientip,$interimupdate=false,$radius_term_cause = "RADIUS_TERM_IDLE_TIMEOUT") {
- global $debug;
-
- exec("/bin/hostname", $nasHostname) ;
- if(!$nasHostname[0])
- $nasHostname[0] = "quewall" ;
+function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey,$clientip,$clientmac, $term_cause = 1, $interimupdate=false,$stop_time = null) {
+ global $config;
- $input_pkts = $input_bytes = $input_gigawords = $output_pkts = $output_bytes = $output_gigawords = 0 ;
+ $stop_time = (empty($stop_time)) ? time() : $stop_time;
- exec("/sbin/ipfw show {$ruleno}", $ipfw) ;
- preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[0], $matches) ;
- $input_pkts = $matches[2] ;
- $input_bytes = remainder($matches[3]);
- $input_gigawords = gigawords($matches[3]);
-
- unset($matches) ;
- preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[1], $matches) ;
- $output_pkts = $matches[2] ;
- $output_bytes = remainder($matches[3]);
- $output_gigawords = gigawords($matches[3]);
-
-
- $nas_ip = get_current_wan_address();
- $nas_ip_exp = explode(".",$nas_ip);
$nas_port = $ruleno - 10000;
$nas_mac = get_interface_mac($config['interfaces']['wan']['if']);
- $ip_exp=explode(".",$clientip);
$session_time = $stop_time - $start_time;
$radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null
if ($interimupdate)
$racct = new_Auth_RADIUS_Acct_Update;
else
- $racct = new_Auth_RADIUS_Acct_Stop;
+ $racct = new_Auth_RADIUS_Acct_Stop;
+
+/*
+ * Currently disabled
+Add support for more then one radiusserver.
+At most 10 servers may be specified.
+When multiple servers are given, they are tried in round-robin fashion until a valid response is received
+
+foreach ($radiusservers as $radsrv) {
+
+ // Add a new server to our instance
+ $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['key']);
+
+}
+*/
+
+$racct->authentic = RADIUS_AUTH_RADIUS;
// Construct data package
$racct->addServer($radiusip, $radiusport, $radiuskey);
$racct->username = $username;
-
-$status = $racct->start();
-if(PEAR::isError($status)) {
+if (PEAR::isError($racct->start())) {
+ $retvalue['acct_val'] = 1;
+ $retvalue['error'] = $rauth->getMessage();
if ($debug)
- printf("Radius start: %s<br>\n", $status->getMessage());
- exit;
+ printf("Radius start: %s<br>\n", $retvalue['error']);
}
+
// you can put any additional attributes here
//$racct->putAttribute(RADIUS_SERVICE_TYPE, RADIUS_LOGIN);
-// Do the accounting style as configured in GUI
- switch($radiusvendor) {
+ // Do the accounting style as configured in GUI
+ switch($radiusvendor) {
case 'cisco':
$rauth->putAttribute(RADIUS_CALLED_STATION_ID, $clientmac);
default:
$rauth->putAttribute(RADIUS_CALLED_STATION_ID, $nas_mac);
$rauth->putAttribute(RADIUS_CALLING_STATION_ID, $clientmac);
- }
+ }
- // Default attributes
- $rauth->putAttribute(RADIUS_NAS_PORT, $nas_port)
+ // Default attributes
+ $rauth->putAttribute(RADIUS_NAS_PORT, $nas_port)
$session_time = $stop_time - $start_time;
// We have 2 ways to set the session-time, we will see which one to use in a later version
$racct->putAttribute(RADIUS_ACCT_OUTPUT_PACKETS, $output_pkts);
$racct->putAttribute(RADIUS_ACCT_OUTPUT_OCTETS, $output_bytes);
$racct->putAttribute(RADIUS_ACCT_OUTPUT_GIGAWORDS, $output_gigawords);
+
if (!$interimupdate)
$racct->putAttribute(RADIUS_ACCT_TERMINATE_CAUSE, $radius_term_cause);
-$result = $racct->send();
-if (PEAR::isError($result)) {
- $retvalue = 1;
- if ($debug)
- printf("Radius send failed: %s<br>\n", $result->getMessage());
-} else if ($result === true) {
- $retvalue = 5 ;
- if ($debug)
- printf("Radius Accounting succeeded<br>\n");
-} else {
- $retvalue = 1 ;
- if ($debug)
- printf("Radius Accounting rejected<br>\n");
-}
-
-$racct->close();
-
-return $retvalue ;
-// 5 -> Accounting-Response
-// See RFC2866 for this.
+ // Send request
+
+ $result = $racct->send();
+ if (PEAR::isError($result)) {
+ $retvalue['acct_val'] = 1;
+ $retvalue['error'] = $result->getMessage();
+ if ($debug)
+ printf("Radius send failed: %s<br>\n", $retvalue['error']);
+ } else if ($result === true) {
+ $retvalue['acct_val'] = 5 ;
+ if ($debug)
+ printf("Radius Accounting succeeded<br>\n");
+ } else {
+ $retvalue['acct_val'] = 1 ;
+ if ($debug)
+ printf("Radius Accounting rejected<br>\n");
+ }
+
+ // close OO RADIUS_ACCOUNTING
+ $racct->close();
+
+ return $retvalue ;
+ // 5 -> Accounting-Response
+ // See RFC2866 for this.
}
return $config['interfaces']['wan']['ipaddr'];
}
+/**
+ * This function will calculate the traffic produced by a host
+ * based on its firewall rule
+ *
+ * Will be moved to in captiveportal.inc
+ * so that we can implement user volume limits
+ *
+ * Point of view: Client
+ *
+ */
+
+function volumeCalculation($ruleno) {
+
+ $volume = array();
+
+ /* Ingress */
+ exec("/sbin/ipfw show {$ruleno}", $ipfw);
+ preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[0], $matches);
+ $volume['input_pkts'] = $matches[2];
+ $volume['input_bytes'] = $matches[3];
+ /* These functions will be moved to the accounting part
+ $volume['input_bytes_radius'] = remainder($matches[3]);
+ $volume['input_gigawords'] = gigawords($matches[3]);
+ */
+
+ /* Flush internal buffer */
+ unset($matches);
+
+ /* Outgress */
+ preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[1], $matches);
+ $volume['output_pkts'] = $matches[2];
+ $volume['output_bytes'] = $matches[3];
+ /* These functions will be moved to the accounting part
+ $volume['output_bytes_radius'] = remainder($matches[3]);
+ $volume['output_gigawords'] = gigawords($matches[3]);
+ */
+
+ return $volume;
+}
+
+/**
+ * Radius Volume Helpers
+ *
+ */
+
function gigawords($bytes) {
- /* We use BCMath functions since normal integers don't work */
- $gigawords = bcdiv( bcsub( $bytes, remainder($bytes) ) , 4294967295);
-
- return $gigawords;
+
+ /* We use BCMath functions since normal integers don't work with so large numbers */
+ $gigawords = bcdiv( bcsub( $bytes, remainder($bytes) ) , 2147483647) ;
+
+ return $gigawords;
}
function remainder($bytes) {
- /* Calculate the remainder */
- $bytes = bcmod($bytes, 4294967295);
- return $bytes;
-}
+ /* Calculate the bytes we are going to send to the radius. */
+ $bytes = bcmod($bytes, 2147483647);
-
+ return $bytes;
+}
?>
*/
function RADIUS_AUTHENTICATION($username,$password,$radiusservers,$clientip,$clientmac,$ruleno) {
- global $config;
+ global $config;
- /* Initialisation of variables - Constructor */
- $retvalue = array();
- $retvalue['error'] = $retvalue['reply_message'] = $retvalue['url_redirection'] = $retvalue['session_timeout'] = $retvalue['idle_timeout'] = $retvalue['session_terminate_time'] = null;
- $nas_mac = get_interface_mac($config['interfaces']['wan']['if']);
- $nas_port = $ruleno - 10000;
- $radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
+ /* Initialisation of variables - Constructor */
+ $retvalue = array();
+ $retvalue['error'] = $retvalue['reply_message'] = $retvalue['url_redirection'] = $retvalue['session_timeout'] = $retvalue['idle_timeout'] = $retvalue['session_terminate_time'] = null;
+ $nas_mac = get_interface_mac($config['interfaces']['wan']['if']);
+ $nas_port = $ruleno - 10000;
+ $radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
exec("/bin/hostname", $nasHostname) ;
if(!$nasHostname[0])
foreach ($radiusservers as $radsrv) {
- // Add a new server to our instance
- $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['key']);
-
+ // Add a new server to our instance
+ $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['key']);
+
}
$rauth->username = $username;
$retvalue['auth_val'] = 1;
$retvalue['error'] = $rauth->getError();
if ($debug)
- printf("Radius start: %s<br>\n", $retvalue['error']);
+ printf("Radius start: %s<br>\n", $retvalue['error']);
}
else {
- // 1 -> Access-Request => We will use this value as an error indicator since we can't get a 1 back from the radius
- // 2 -> Access-Accept
- // 3 -> Access-Reject
- // See RFC2865 for this.
+ // 1 -> Access-Request => We will use this value as an error indicator since we can't get a 1 back from the radius
+ // 2 -> Access-Accept
+ // 3 -> Access-Reject
+ // See RFC2865 for this.
- /*
- * We put our attributes in here
- */
+ /*
+ * We put our attributes in here
+ */
- switch($radiusvendor) {
+ switch($radiusvendor) {
case 'cisco':
$rauth->putAttribute(RADIUS_CALLED_STATION_ID, $clientmac);
default:
$rauth->putAttribute(RADIUS_CALLED_STATION_ID, $nas_mac);
$rauth->putAttribute(RADIUS_CALLING_STATION_ID, $clientmac);
- }
-
- // Default attributes
- $rauth->putAttribute(RADIUS_NAS_PORT, $nas_port);
-
- // Send request
-
- $result = $rauth->send();
- if (PEAR::isError($result)) {
- $retvalue['auth_val'] = 1;
- $retvalue['error'] = $result->getMessage();
- if ($debug)
- printf("Radius send failed: %s<br>\n", $retvalue['error']);
- } else if ($result === true) {
- $retvalue['auth_val'] = 2;
- if ($debug)
- printf("Radius Auth succeeded<br>\n");
- } else {
- $retvalue['auth_val'] = 3;
- if ($debug)
- printf("Radius Auth rejected<br>\n");
- }
-
- // Get attributes, even if auth failed.
- // We will push the results in the retvalue array
- if (!$rauth->getAttributes()) {
- $retvalue['error'] = $rauth->getError();
- if ($debug)
- printf("Radius getAttributes: No attributes<br>\n", $retvalue['error']);
- } else {
- $retvalue = array_merge($retvalue,$rauth->listAttributes());
- if ($debug) {
- if (!$rauth->listAttributes())
- printf("No Attributes<br>\n");
- else
- print_r($rauth->listAttributes());
- }
- // We convert the session_terminate_time to unixtimestamp if its set before returning the whole array to our caller
- if (!empty($retvalue['session_terminate_time'])) {
- $stt = &$retvalue['session_terminate_time'];
- $stt = strtotime(preg_replace("/\+(\d+):(\d+)$/", " +\${1}\${2}", preg_replace("/(\d+)T(\d+)/", "\${1} \${2}",$stt)));
- }
- }
+ }
+
+ // Default attributes
+ $rauth->putAttribute(RADIUS_NAS_PORT, $nas_port);
+
+ // Send request
+
+ $result = $rauth->send();
+ if (PEAR::isError($result)) {
+ $retvalue['auth_val'] = 1;
+ $retvalue['error'] = $result->getMessage();
+ if ($debug)
+ printf("Radius send failed: %s<br>\n", $retvalue['error']);
+ } else if ($result === true) {
+ $retvalue['auth_val'] = 2;
+ if ($debug)
+ printf("Radius Auth succeeded<br>\n");
+ } else {
+ $retvalue['auth_val'] = 3;
+ if ($debug)
+ printf("Radius Auth rejected<br>\n");
+ }
+
+ // Get attributes, even if auth failed.
+ // We will push the results in the retvalue array
+ if (!$rauth->getAttributes()) {
+ $retvalue['error'] = $rauth->getError();
+ if ($debug)
+ printf("Radius getAttributes: No attributes<br>\n", $retvalue['error']);
+ } else {
+ $retvalue = array_merge($retvalue,$rauth->listAttributes());
+ if ($debug) {
+ if (!$rauth->listAttributes())
+ printf("No Attributes<br>\n");
+ else
+ print_r($rauth->listAttributes());
+ }
+ // We convert the session_terminate_time to unixtimestamp if its set before returning the whole array to our caller
+ if (!empty($retvalue['session_terminate_time'])) {
+ $stt = &$retvalue['session_terminate_time'];
+ $stt = strtotime(preg_replace("/\+(\d+):(\d+)$/", " +\${1}\${2}", preg_replace("/(\d+)T(\d+)/", "\${1} \${2}",$stt)));
+ }
+ }
}
// close OO RADIUS_AUTHENTICATION
projects / m0n0chwall.git / commitdiff