1 /***********************************************************************
5 * RADIUS plugin for pppd. Performs PAP, CHAP, MS-CHAP, MS-CHAPv2
6 * authentication using RADIUS.
8 * Copyright (C) 2002 Roaring Penguin Software Inc.
10 * Based on a patch for ipppd, which is:
11 * Copyright (C) 1996, Matjaz Godec <gody@elgo.si>
12 * Copyright (C) 1996, Lars Fenneberg <in5y050@public.uni-hamburg.de>
13 * Copyright (C) 1997, Miguel A.L. Paraz <map@iphil.net>
15 * Uses radiusclient library, which is:
16 * Copyright (C) 1995,1996,1997,1998 Lars Fenneberg <lf@elemental.net>
17 * Copyright (C) 2002 Roaring Penguin Software Inc.
19 * This plugin may be distributed according to the terms of the GNU
20 * General Public License, version 2 or (at your option) any later version.
22 ***********************************************************************/
23 static char const RCSID[] =
24 "$Id: radius.c,v 1.7 2002/03/12 00:28:56 dfs Exp $";
31 #include "radiusclient.h"
35 #include <sys/types.h>
40 static char *config_file = NULL;
42 static option_t Options[] = {
43 { "radius-config-file", o_string, &config_file },
47 static int radius_secret_check(void);
48 static int radius_pap_auth(char *user,
51 struct wordlist **paddrs,
52 struct wordlist **popts);
53 static int radius_chap_auth(char *user,
58 static void radius_ip_up(void *opaque, int arg);
59 static void radius_ip_down(void *opaque, int arg);
60 static void make_username_realm(char *user);
61 static int radius_setparams(chap_state *cstate, VALUE_PAIR *vp, char *msg);
62 static void radius_choose_ip(u_int32_t *addrp);
63 static int radius_init(char *msg);
64 static int get_client_port(char *ifname);
65 static int radius_allowed_address(u_int32_t addr);
68 #define MAXSESSIONID 32
72 int accounting_started;
79 char user[MAXNAMELEN];
80 char config_file[MAXPATHLEN];
81 char session_id[MAXSESSIONID + 1];
83 SERVER *authserver; /* Authentication server to use */
84 SERVER *acctserver; /* Accounting server to use */
87 void (*radius_attributes_hook)(VALUE_PAIR *) = NULL;
89 /* The pre_auth_hook MAY set authserver and acctserver if it wants.
90 In that case, they override the values in the radiusclient.conf file */
91 void (*radius_pre_auth_hook)(char const *user,
93 SERVER **acctserver) = NULL;
95 static struct radius_state rstate;
97 char pppd_version[] = VERSION;
99 /**********************************************************************
100 * %FUNCTION: plugin_init
106 * Initializes RADIUS plugin.
107 ***********************************************************************/
111 pap_check_hook = radius_secret_check;
112 pap_auth_hook = radius_pap_auth;
114 chap_check_hook = radius_secret_check;
115 chap_auth_hook = radius_chap_auth;
117 ip_choose_hook = radius_choose_ip;
118 allowed_address_hook = radius_allowed_address;
120 add_notifier(&ip_up_notifier, radius_ip_up, NULL);
121 add_notifier(&ip_down_notifier, radius_ip_down, NULL);
123 memset(&rstate, 0, sizeof(rstate));
125 strlcpy(rstate.config_file, "/etc/radiusclient/radiusclient.conf",
126 sizeof(rstate.config_file));
128 add_options(Options);
130 info("RADIUS plugin initialized.");
133 /**********************************************************************
134 * %FUNCTION: radius_secret_check
138 * 1 -- we are ALWAYS willing to supply a secret. :-)
140 * Tells pppd that we will try to authenticate the peer, and not to
141 * worry about looking in /etc/ppp/*-secrets
142 ***********************************************************************/
144 radius_secret_check(void)
149 /**********************************************************************
150 * %FUNCTION: radius_choose_ip
152 * addrp -- where to store the IP address
156 * If RADIUS server has specified an IP address, it is stored in *addrp.
157 ***********************************************************************/
159 radius_choose_ip(u_int32_t *addrp)
161 if (rstate.choose_ip) {
162 *addrp = rstate.ip_addr;
166 /**********************************************************************
167 * %FUNCTION: radius_pap_auth
169 * user -- user-name of peer
170 * passwd -- password supplied by peer
171 * msgp -- Message which will be sent in PAP response
172 * paddrs -- set to a list of possible peer IP addresses
173 * popts -- set to a list of additional pppd options
175 * 1 if we can authenticate, -1 if we cannot.
177 * Performs PAP authentication using RADIUS
178 ***********************************************************************/
180 radius_pap_auth(char *user,
183 struct wordlist **paddrs,
184 struct wordlist **popts)
186 VALUE_PAIR *send, *received;
189 static char radius_msg[BUF_LEN];
194 if (radius_init(radius_msg) < 0) {
198 /* Put user with potentially realm added in rstate.user */
199 make_username_realm(user);
201 if (radius_pre_auth_hook) {
202 radius_pre_auth_hook(rstate.user,
210 /* Hack... the "port" is the ppp interface number. Should really be
212 rstate.client_port = get_client_port(ifname);
215 rc_avpair_add(&send, PW_SERVICE_TYPE, &av_type, 0, VENDOR_NONE);
218 rc_avpair_add(&send, PW_FRAMED_PROTOCOL, &av_type, 0, VENDOR_NONE);
220 rc_avpair_add(&send, PW_USER_NAME, rstate.user , 0, VENDOR_NONE);
221 rc_avpair_add(&send, PW_USER_PASSWORD, passwd, 0, VENDOR_NONE);
222 if (*remote_number) {
223 rc_avpair_add(&send, PW_CALLING_STATION_ID, remote_number, 0,
227 if (rstate.authserver) {
228 result = rc_auth_using_server(rstate.authserver,
229 rstate.client_port, send,
230 &received, radius_msg);
232 result = rc_auth(rstate.client_port, send, &received, radius_msg);
235 if (result == OK_RC) {
236 if (radius_setparams(NULL, received, radius_msg) < 0) {
241 /* free value pairs */
242 rc_avpair_free(received);
243 rc_avpair_free(send);
245 return (result == OK_RC) ? 1 : 0;
248 /**********************************************************************
249 * %FUNCTION: radius_chap_auth
251 * user -- user-name of peer
252 * remmd -- hash received from peer
253 * remmd_len -- length of remmd
254 * cstate -- pppd's chap_state structure
256 * CHAP_SUCCESS if we can authenticate, CHAP_FAILURE if we cannot.
258 * Performs CHAP, MS-CHAP and MS-CHAPv2 authentication using RADIUS
259 ***********************************************************************/
261 radius_chap_auth(char *user,
266 VALUE_PAIR *send, *received;
268 static char radius_msg[BUF_LEN];
270 u_char cpassword[MAX_RESPONSE_LENGTH + 1];
273 if (radius_init(radius_msg) < 0) {
274 error("%s", radius_msg);
278 /* return error for types we can't handle */
279 if ((cstate->chal_type != CHAP_DIGEST_MD5)
281 && (cstate->chal_type != CHAP_MICROSOFT)
282 && (cstate->chal_type != CHAP_MICROSOFT_V2)
285 error("RADIUS: Challenge type %u unsupported", cstate->chal_type);
289 /* Put user with potentially realm added in rstate.user */
290 if (!rstate.done_chap_once) {
291 make_username_realm(user);
292 rstate.client_port = get_client_port (ifname);
293 if (radius_pre_auth_hook) {
294 radius_pre_auth_hook(rstate.user,
300 send = received = NULL;
303 rc_avpair_add (&send, PW_SERVICE_TYPE, &av_type, 0, VENDOR_NONE);
306 rc_avpair_add (&send, PW_FRAMED_PROTOCOL, &av_type, 0, VENDOR_NONE);
308 rc_avpair_add (&send, PW_USER_NAME, rstate.user , 0, VENDOR_NONE);
311 * add the challenge and response fields
313 switch (cstate->chal_type) {
314 case CHAP_DIGEST_MD5:
315 /* CHAP-Challenge and CHAP-Password */
316 cpassword[0] = cstate->chal_id;
317 memcpy(&cpassword[1], remmd, MD5_SIGNATURE_SIZE);
319 rc_avpair_add(&send, PW_CHAP_CHALLENGE,
320 cstate->challenge, cstate->chal_len, VENDOR_NONE);
321 rc_avpair_add(&send, PW_CHAP_PASSWORD,
322 cpassword, MD5_SIGNATURE_SIZE + 1, VENDOR_NONE);
328 /* MS-CHAP-Challenge and MS-CHAP-Response */
329 MS_ChapResponse *rmd = (MS_ChapResponse *) remmd;
330 u_char *p = cpassword;
332 *p++ = cstate->chal_id;
333 /* The idiots use a different field order in RADIUS than PPP */
334 memcpy(p, rmd->UseNT, sizeof(rmd->UseNT));
335 p += sizeof(rmd->UseNT);
336 memcpy(p, rmd->LANManResp, sizeof(rmd->LANManResp));
337 p += sizeof(rmd->LANManResp);
338 memcpy(p, rmd->NTResp, sizeof(rmd->NTResp));
340 rc_avpair_add(&send, PW_MS_CHAP_CHALLENGE,
341 cstate->challenge, cstate->chal_len, VENDOR_MICROSOFT);
342 rc_avpair_add(&send, PW_MS_CHAP_RESPONSE,
343 cpassword, MS_CHAP_RESPONSE_LEN + 1, VENDOR_MICROSOFT);
347 case CHAP_MICROSOFT_V2:
349 /* MS-CHAP-Challenge and MS-CHAP2-Response */
350 MS_Chap2Response *rmd = (MS_Chap2Response *) remmd;
351 u_char *p = cpassword;
353 *p++ = cstate->chal_id;
354 /* The idiots use a different field order in RADIUS than PPP */
355 memcpy(p, rmd->Flags, sizeof(rmd->Flags));
356 p += sizeof(rmd->Flags);
357 memcpy(p, rmd->PeerChallenge, sizeof(rmd->PeerChallenge));
358 p += sizeof(rmd->PeerChallenge);
359 memcpy(p, rmd->Reserved, sizeof(rmd->Reserved));
360 p += sizeof(rmd->Reserved);
361 memcpy(p, rmd->NTResp, sizeof(rmd->NTResp));
363 rc_avpair_add(&send, PW_MS_CHAP_CHALLENGE,
364 cstate->challenge, cstate->chal_len, VENDOR_MICROSOFT);
365 rc_avpair_add(&send, PW_MS_CHAP2_RESPONSE,
366 cpassword, MS_CHAP2_RESPONSE_LEN + 1, VENDOR_MICROSOFT);
374 * make authentication with RADIUS server
377 if (rstate.authserver) {
378 result = rc_auth_using_server(rstate.authserver,
379 rstate.client_port, send,
380 &received, radius_msg);
382 result = rc_auth(rstate.client_port, send, &received, radius_msg);
385 if (result == OK_RC) {
386 if (!rstate.done_chap_once) {
387 if (radius_setparams(cstate, received, radius_msg) < 0) {
388 error("%s", radius_msg);
391 rstate.done_chap_once = 1;
396 rc_avpair_free(received);
397 rc_avpair_free (send);
398 return (result == OK_RC) ? CHAP_SUCCESS : CHAP_FAILURE;
401 /**********************************************************************
402 * %FUNCTION: make_username_realm
404 * user -- the user given to pppd
408 * Copies user into rstate.user. If it lacks a realm (no "@domain" part),
409 * then the default realm from the radiusclient config file is added.
410 ***********************************************************************/
412 make_username_realm(char *user)
416 if ( user != NULL ) {
417 strlcpy(rstate.user, user, sizeof(rstate.user));
422 default_realm = rc_conf_str("default_realm");
424 if (!strchr(rstate.user, '@') &&
426 (*default_realm != '\0')) {
427 strlcat(rstate.user, "@", sizeof(rstate.user));
428 strlcat(rstate.user, default_realm, sizeof(rstate.user));
432 /**********************************************************************
433 * %FUNCTION: radius_setparams
435 * cstate -- pppd's chap_state structure
436 * vp -- received value-pairs
437 * msg -- buffer in which to place error message. Holds up to BUF_LEN chars
439 * >= 0 on success; -1 on failure
441 * Parses attributes sent by RADIUS server and sets them in pppd. Currently,
442 * used only to set IP address and MS-CHAPv2 Authenticator Response.
443 ***********************************************************************/
445 radius_setparams(chap_state *cstate, VALUE_PAIR *vp, char *msg)
448 int ms_chap2_success = 0;
450 /* Send RADIUS attributes to anyone else who might be interested */
451 if (radius_attributes_hook) {
452 (*radius_attributes_hook)(vp);
456 * service type (if not framed then quit),
457 * new IP address (RADIUS can define static IP for some users),
461 if ((vp->attribute == PW_SERVICE_TYPE) &&
462 (vp->vendorcode == VENDOR_NONE)) {
463 /* check for service type */
464 /* if not FRAMED then exit */
465 if (vp->lvalue != PW_FRAMED) {
466 slprintf(msg, BUF_LEN, "RADIUS: wrong service type %ld for %s",
467 vp->lvalue, rstate.user);
470 } else if ((vp->attribute == PW_FRAMED_PROTOCOL) &&
471 (vp->vendorcode == VENDOR_NONE)) {
472 /* check for framed protocol type */
473 /* if not PPP then also exit */
474 if (vp->lvalue != PW_PPP) {
475 slprintf(msg, BUF_LEN, "RADIUS: wrong framed protocol %ld for %s",
476 vp->lvalue, rstate.user);
479 } else if ((vp->attribute == PW_SESSION_TIMEOUT) &&
480 (vp->vendorcode == VENDOR_NONE)) {
481 /* Session timeout */
482 maxconnect = vp->lvalue;
483 } else if ((vp->attribute == PW_FRAMED_IP_ADDRESS) &&
484 (vp->vendorcode == VENDOR_NONE)) {
485 /* seting up remote IP addresses */
487 if (remote == 0xffffffff) {
488 /* 0xffffffff means user should be allowed to select one */
489 rstate.any_ip_addr_ok = 1;
490 } else if (remote != 0xfffffffe) {
491 /* 0xfffffffe means NAS should select an ip address */
492 remote = htonl(vp->lvalue);
493 if (bad_ip_adrs (remote)) {
494 slprintf(msg, BUF_LEN, "RADIUS: bad remote IP address %I for %s",
495 remote, rstate.user);
498 rstate.choose_ip = 1;
499 rstate.ip_addr = remote;
502 } else if ((vp->attribute == PW_MS_CHAP2_SUCCESS) &&
503 (vp->vendorcode == VENDOR_MICROSOFT)) {
504 if ((vp->lvalue != 43) || strncmp(vp->strvalue + 1, "S=", 2)) {
505 slprintf(msg, BUF_LEN, "RADIUS: bad MS-CHAP2-Success packet");
508 memcpy(cstate->saresponse, vp->strvalue + 3,
509 MS_AUTH_RESPONSE_LENGTH);
510 cstate->saresponse[MS_AUTH_RESPONSE_LENGTH] = '\0';
511 ms_chap2_success = 1;
517 /* Require a valid MS-CHAP2-SUCCESS for MS-CHAPv2 auth */
518 if (cstate && (cstate->chal_type == CHAP_MICROSOFT_V2) && !ms_chap2_success)
524 /**********************************************************************
525 * %FUNCTION: radius_acct_start
531 * Sends a "start" accounting message to the RADIUS server.
532 ***********************************************************************/
534 radius_acct_start(void)
538 VALUE_PAIR *send = NULL;
539 ipcp_options *ho = &ipcp_hisoptions[0];
542 if (!rstate.initialized) {
546 rstate.start_time = time(NULL);
548 strncpy(rstate.session_id, rc_mksid(), sizeof(rstate.session_id));
550 rc_avpair_add(&send, PW_ACCT_SESSION_ID,
551 rstate.session_id, 0, VENDOR_NONE);
552 rc_avpair_add(&send, PW_USER_NAME,
553 rstate.user, 0, VENDOR_NONE);
555 av_type = PW_STATUS_START;
556 rc_avpair_add(&send, PW_ACCT_STATUS_TYPE, &av_type, 0, VENDOR_NONE);
559 rc_avpair_add(&send, PW_SERVICE_TYPE, &av_type, 0, VENDOR_NONE);
562 rc_avpair_add(&send, PW_FRAMED_PROTOCOL, &av_type, 0, VENDOR_NONE);
564 if (*remote_number) {
565 rc_avpair_add(&send, PW_CALLING_STATION_ID,
566 remote_number, 0, VENDOR_NONE);
570 rc_avpair_add(&send, PW_ACCT_AUTHENTIC, &av_type, 0, VENDOR_NONE);
574 rc_avpair_add(&send, PW_NAS_PORT_TYPE, &av_type, 0, VENDOR_NONE);
576 hisaddr = ho->hisaddr;
577 av_type = htonl(hisaddr);
578 rc_avpair_add(&send, PW_FRAMED_IP_ADDRESS , &av_type , 0, VENDOR_NONE);
580 if (rstate.acctserver) {
581 result = rc_acct_using_server(rstate.acctserver,
582 rstate.client_port, send);
584 result = rc_acct(rstate.client_port, send);
587 rc_avpair_free(send);
589 if (result != OK_RC) {
590 /* RADIUS server could be down so make this a warning */
592 "Accounting START failed for %s", rstate.user);
594 rstate.accounting_started = 1;
598 /**********************************************************************
599 * %FUNCTION: radius_acct_stop
605 * Sends a "stop" accounting message to the RADIUS server.
606 ***********************************************************************/
608 radius_acct_stop(void)
611 VALUE_PAIR *send = NULL;
612 ipcp_options *ho = &ipcp_hisoptions[0];
616 if (!rstate.initialized) {
620 if (!rstate.accounting_started) {
624 rstate.accounting_started = 0;
625 rc_avpair_add(&send, PW_ACCT_SESSION_ID, rstate.session_id,
628 rc_avpair_add(&send, PW_USER_NAME, rstate.user, 0, VENDOR_NONE);
630 av_type = PW_STATUS_STOP;
631 rc_avpair_add(&send, PW_ACCT_STATUS_TYPE, &av_type, 0, VENDOR_NONE);
634 rc_avpair_add(&send, PW_SERVICE_TYPE, &av_type, 0, VENDOR_NONE);
637 rc_avpair_add(&send, PW_FRAMED_PROTOCOL, &av_type, 0, VENDOR_NONE);
640 rc_avpair_add(&send, PW_ACCT_AUTHENTIC, &av_type, 0, VENDOR_NONE);
643 if (link_stats_valid) {
644 av_type = link_connect_time;
645 rc_avpair_add(&send, PW_ACCT_SESSION_TIME, &av_type, 0, VENDOR_NONE);
647 av_type = link_stats.bytes_out;
648 rc_avpair_add(&send, PW_ACCT_OUTPUT_OCTETS, &av_type, 0, VENDOR_NONE);
650 av_type = link_stats.bytes_in;
651 rc_avpair_add(&send, PW_ACCT_INPUT_OCTETS, &av_type, 0, VENDOR_NONE);
653 av_type = link_stats.pkts_out;
654 rc_avpair_add(&send, PW_ACCT_OUTPUT_PACKETS, &av_type, 0, VENDOR_NONE);
656 av_type = link_stats.pkts_in;
657 rc_avpair_add(&send, PW_ACCT_INPUT_PACKETS, &av_type, 0, VENDOR_NONE);
660 if (*remote_number) {
661 rc_avpair_add(&send, PW_CALLING_STATION_ID,
662 remote_number, 0, VENDOR_NONE);
666 rc_avpair_add(&send, PW_NAS_PORT_TYPE, &av_type, 0, VENDOR_NONE);
668 hisaddr = ho->hisaddr;
669 av_type = htonl(hisaddr);
670 rc_avpair_add(&send, PW_FRAMED_IP_ADDRESS , &av_type , 0, VENDOR_NONE);
672 if (rstate.acctserver) {
673 result = rc_acct_using_server(rstate.acctserver,
674 rstate.client_port, send);
676 result = rc_acct(rstate.client_port, send);
679 if (result != OK_RC) {
680 /* RADIUS server could be down so make this a warning */
682 "Accounting STOP failed for %s", rstate.user);
684 rc_avpair_free(send);
687 /**********************************************************************
688 * %FUNCTION: radius_ip_up
695 * Called when IPCP is up. We'll do a start-accounting record.
696 ***********************************************************************/
698 radius_ip_up(void *opaque, int arg)
703 /**********************************************************************
704 * %FUNCTION: radius_ip_down
711 * Called when IPCP is down. We'll do a stop-accounting record.
712 ***********************************************************************/
714 radius_ip_down(void *opaque, int arg)
719 /**********************************************************************
720 * %FUNCTION: radius_init
722 * msg -- buffer of size BUF_LEN for error message
724 * negative on failure; non-negative on success
726 * Initializes radiusclient library
727 ***********************************************************************/
729 radius_init(char *msg)
731 if (rstate.initialized) {
735 if (config_file && *config_file) {
736 strlcpy(rstate.config_file, config_file, MAXPATHLEN-1);
739 rstate.initialized = 1;
741 if (rc_read_config(rstate.config_file) != 0) {
742 slprintf(msg, BUF_LEN, "RADIUS: Can't read config file %s",
747 if (rc_read_dictionary(rc_conf_str("dictionary")) != 0) {
748 slprintf(msg, BUF_LEN, "RADIUS: Can't read dictionary file %s",
749 rc_conf_str("dictionary"));
753 if (rc_read_mapfile(rc_conf_str("mapfile")) != 0) {
754 slprintf(msg, BUF_LEN, "RADIUS: Can't read map file %s",
755 rc_conf_str("mapfile"));
761 /**********************************************************************
762 * %FUNCTION: get_client_port
764 * ifname -- PPP interface name (e.g. "ppp7")
766 * The NAS port number (e.g. 7)
768 * Extracts the port number from the interface name
769 ***********************************************************************/
771 get_client_port(char *ifname)
774 if (sscanf(ifname, "ppp%d", &port) == 1) {
777 return rc_map2id(ifname);
780 /**********************************************************************
781 * %FUNCTION: radius_allowed_address
785 * 1 if we're allowed to use that IP address; 0 if not; -1 if we do
787 ***********************************************************************/
789 radius_allowed_address(u_int32_t addr)
791 ipcp_options *wo = &ipcp_wantoptions[0];
793 if (!rstate.choose_ip) {
794 /* If RADIUS server said any address is OK, then fine... */
795 if (rstate.any_ip_addr_ok) {
799 /* Sigh... if an address was supplied for remote host in pppd
800 options, it has to match that. */
801 if (wo->hisaddr != 0 && wo->hisaddr == addr) {
807 if (addr == rstate.ip_addr) return 1;
811 /* Useful for other plugins */
812 char *radius_logged_in_user(void)