1 /***********************************************************************
5 * RADIUS plugin for pppd. Performs PAP, CHAP and MS-CHAP authentication
8 * Copyright (C) 2002 Roaring Penguin Software Inc.
10 * Based on a patch for ipppd, which is:
11 * Copyright (C) 1996, Matjaz Godec <gody@elgo.si>
12 * Copyright (C) 1996, Lars Fenneberg <in5y050@public.uni-hamburg.de>
13 * Copyright (C) 1997, Miguel A.L. Paraz <map@iphil.net>
15 * Uses radiusclient library, which is:
16 * Copyright (C) 1995,1996,1997,1998 Lars Fenneberg <lf@elemental.net>
17 * Copyright (C) 2002 Roaring Penguin Software Inc.
19 * This plugin may be distributed according to the terms of the GNU
20 * General Public License, version 2 or (at your option) any later version.
22 ***********************************************************************/
23 static char const RCSID[] =
24 "$Id: radius.c,v 1.5 2002/03/04 14:59:51 dfs Exp $";
31 #include "radiusclient.h"
35 #include <sys/types.h>
40 static char *config_file = NULL;
42 static option_t Options[] = {
43 { "radius-config-file", o_string, &config_file },
47 static int radius_secret_check(void);
48 static int radius_pap_auth(char *user,
51 struct wordlist **paddrs,
52 struct wordlist **popts);
53 static int radius_chap_auth(char *user,
58 static void radius_ip_up(void *opaque, int arg);
59 static void radius_ip_down(void *opaque, int arg);
60 static void make_username_realm(char *user);
61 static int radius_setparams(VALUE_PAIR *vp, char *msg);
62 static void radius_choose_ip(u_int32_t *addrp);
63 static int radius_init(char *msg);
64 static int get_client_port(char *ifname);
65 static int radius_allowed_address(u_int32_t addr);
68 #define MAXSESSIONID 32
72 int accounting_started;
79 char user[MAXNAMELEN];
80 char config_file[MAXPATHLEN];
81 char session_id[MAXSESSIONID + 1];
83 SERVER *authserver; /* Authentication server to use */
84 SERVER *acctserver; /* Accounting server to use */
87 void (*radius_attributes_hook)(VALUE_PAIR *) = NULL;
89 /* The pre_auth_hook MAY set authserver and acctserver if it wants.
90 In that case, they override the values in the radiusclient.conf file */
91 void (*radius_pre_auth_hook)(char const *user,
93 SERVER **acctserver) = NULL;
95 static struct radius_state rstate;
97 char pppd_version[] = VERSION;
99 /**********************************************************************
100 * %FUNCTION: plugin_init
106 * Initializes RADIUS plugin.
107 ***********************************************************************/
111 pap_check_hook = radius_secret_check;
112 pap_auth_hook = radius_pap_auth;
114 chap_check_hook = radius_secret_check;
115 chap_auth_hook = radius_chap_auth;
117 ip_choose_hook = radius_choose_ip;
118 allowed_address_hook = radius_allowed_address;
120 add_notifier(&ip_up_notifier, radius_ip_up, NULL);
121 add_notifier(&ip_down_notifier, radius_ip_down, NULL);
123 memset(&rstate, 0, sizeof(rstate));
125 strlcpy(rstate.config_file, "/etc/radiusclient/radiusclient.conf",
126 sizeof(rstate.config_file));
128 add_options(Options);
130 info("RADIUS plugin initialized.");
133 /**********************************************************************
134 * %FUNCTION: radius_secret_check
138 * 1 -- we are ALWAYS willing to supply a secret. :-)
140 * Tells pppd that we will try to authenticate the peer, and not to
141 * worry about looking in /etc/ppp/*-secrets
142 ***********************************************************************/
144 radius_secret_check(void)
149 /**********************************************************************
150 * %FUNCTION: radius_choose_ip
152 * addrp -- where to store the IP address
156 * If RADIUS server has specified an IP address, it is stored in *addrp.
157 ***********************************************************************/
159 radius_choose_ip(u_int32_t *addrp)
161 if (rstate.choose_ip) {
162 *addrp = rstate.ip_addr;
166 /**********************************************************************
167 * %FUNCTION: radius_pap_auth
169 * user -- user-name of peer
170 * passwd -- password supplied by peer
171 * msgp -- Message which will be sent in PAP response
172 * paddrs -- set to a list of possible peer IP addresses
173 * popts -- set to a list of additional pppd options
175 * 1 if we can authenticate, -1 if we cannot.
177 * Performs PAP authentication using RADIUS
178 ***********************************************************************/
180 radius_pap_auth(char *user,
183 struct wordlist **paddrs,
184 struct wordlist **popts)
186 VALUE_PAIR *send, *received;
189 static char radius_msg[BUF_LEN];
194 if (radius_init(radius_msg) < 0) {
198 /* Put user with potentially realm added in rstate.user */
199 make_username_realm(user);
201 if (radius_pre_auth_hook) {
202 radius_pre_auth_hook(rstate.user,
210 /* Hack... the "port" is the ppp interface number. Should really be
212 rstate.client_port = get_client_port(ifname);
215 rc_avpair_add(&send, PW_SERVICE_TYPE, &av_type, 0, VENDOR_NONE);
218 rc_avpair_add(&send, PW_FRAMED_PROTOCOL, &av_type, 0, VENDOR_NONE);
220 rc_avpair_add(&send, PW_USER_NAME, rstate.user , 0, VENDOR_NONE);
221 rc_avpair_add(&send, PW_USER_PASSWORD, passwd, 0, VENDOR_NONE);
222 if (*remote_number) {
223 rc_avpair_add(&send, PW_CALLING_STATION_ID, remote_number, 0,
227 if (rstate.authserver) {
228 result = rc_auth_using_server(rstate.authserver,
229 rstate.client_port, send,
230 &received, radius_msg);
232 result = rc_auth(rstate.client_port, send, &received, radius_msg);
235 if (result == OK_RC) {
236 if (radius_setparams(received, radius_msg) < 0) {
241 /* free value pairs */
242 rc_avpair_free(received);
243 rc_avpair_free(send);
245 return (result == OK_RC) ? 1 : 0;
248 /**********************************************************************
249 * %FUNCTION: radius_chap_auth
251 * user -- user-name of peer
252 * remmd -- hash received from peer
253 * remmd_len -- length of remmd
254 * cstate -- pppd's chap_state structure
256 * CHAP_SUCCESS if we can authenticate, CHAP_FAILURE if we cannot.
258 * Performs CHAP and MS-CHAP authentication using RADIUS
259 ***********************************************************************/
261 radius_chap_auth(char *user,
266 VALUE_PAIR *send, *received;
268 static char radius_msg[BUF_LEN];
270 u_char cpassword[MAX_RESPONSE_LENGTH + 1];
273 if (radius_init(radius_msg) < 0) {
274 error("%s", radius_msg);
278 /* return error for types we can't handle */
279 if ((cstate->chal_type != CHAP_DIGEST_MD5)
281 && (cstate->chal_type != CHAP_MICROSOFT)
284 error("RADIUS: Challenge type %u unsupported", cstate->chal_type);
288 /* Put user with potentially realm added in rstate.user */
289 if (!rstate.done_chap_once) {
290 make_username_realm(user);
291 rstate.client_port = get_client_port (ifname);
292 if (radius_pre_auth_hook) {
293 radius_pre_auth_hook(rstate.user,
299 send = received = NULL;
302 rc_avpair_add (&send, PW_SERVICE_TYPE, &av_type, 0, VENDOR_NONE);
305 rc_avpair_add (&send, PW_FRAMED_PROTOCOL, &av_type, 0, VENDOR_NONE);
307 rc_avpair_add (&send, PW_USER_NAME, rstate.user , 0, VENDOR_NONE);
310 * add the challenge and response fields
312 switch (cstate->chal_type) {
313 case CHAP_DIGEST_MD5:
314 /* CHAP-Challenge and CHAP-Password */
315 cpassword[0] = cstate->chal_id;
316 memcpy(&cpassword[1], remmd, MD5_SIGNATURE_SIZE);
318 rc_avpair_add(&send, PW_CHAP_CHALLENGE,
319 cstate->challenge, cstate->chal_len, VENDOR_NONE);
320 rc_avpair_add(&send, PW_CHAP_PASSWORD,
321 cpassword, MD5_SIGNATURE_SIZE + 1, VENDOR_NONE);
327 /* MS-CHAP-Challenge and MS-CHAP-Response */
328 MS_ChapResponse *rmd = remmd;
329 u_char *p = cpassword;
331 *p++ = cstate->chal_id;
332 /* The idiots use a different field order in RADIUS than PPP */
333 memcpy(p, rmd->UseNT, sizeof(rmd->UseNT));
334 p += sizeof(rmd->UseNT);
335 memcpy(p, rmd->LANManResp, sizeof(rmd->LANManResp));
336 p += sizeof(rmd->LANManResp);
337 memcpy(p, rmd->NTResp, sizeof(rmd->NTResp));
339 rc_avpair_add(&send, PW_MS_CHAP_CHALLENGE,
340 cstate->challenge, cstate->chal_len, VENDOR_MICROSOFT);
341 rc_avpair_add(&send, PW_MS_CHAP_RESPONSE,
342 cpassword, MS_CHAP_RESPONSE_LEN + 1, VENDOR_MICROSOFT);
350 * make authentication with RADIUS server
353 if (rstate.authserver) {
354 result = rc_auth_using_server(rstate.authserver,
355 rstate.client_port, send,
356 &received, radius_msg);
358 result = rc_auth(rstate.client_port, send, &received, radius_msg);
361 if (result == OK_RC) {
362 if (!rstate.done_chap_once) {
363 if (radius_setparams(received, radius_msg) < 0) {
364 error("%s", radius_msg);
367 rstate.done_chap_once = 1;
372 rc_avpair_free(received);
373 rc_avpair_free (send);
374 return (result == OK_RC) ? CHAP_SUCCESS : CHAP_FAILURE;
377 /**********************************************************************
378 * %FUNCTION: make_username_realm
380 * user -- the user given to pppd
384 * Copies user into rstate.user. If it lacks a realm (no "@domain" part),
385 * then the default realm from the radiusclient config file is added.
386 ***********************************************************************/
388 make_username_realm(char *user)
392 if ( user != NULL ) {
393 strlcpy(rstate.user, user, sizeof(rstate.user));
398 default_realm = rc_conf_str("default_realm");
400 if (!strchr(rstate.user, '@') &&
402 (*default_realm != '\0')) {
403 strlcat(rstate.user, "@", sizeof(rstate.user));
404 strlcat(rstate.user, default_realm, sizeof(rstate.user));
408 /**********************************************************************
409 * %FUNCTION: radius_setparams
411 * vp -- received value-pairs
412 * msg -- buffer in which to place error message. Holds up to BUF_LEN chars
414 * >= 0 on success; -1 on failure
416 * Parses attributes sent by RADIUS server and sets them in pppd. Currently,
417 * used only to set IP address.
418 ***********************************************************************/
420 radius_setparams(VALUE_PAIR *vp, char *msg)
424 /* Send RADIUS attributes to anyone else who might be interested */
425 if (radius_attributes_hook) {
426 (*radius_attributes_hook)(vp);
430 * service type (if not framed then quit),
431 * new IP address (RADIUS can define static IP for some users),
435 if (vp->vendorcode == VENDOR_NONE) {
436 switch (vp->attribute) {
437 case PW_SERVICE_TYPE:
438 /* check for service type */
439 /* if not FRAMED then exit */
440 if (vp->lvalue != PW_FRAMED) {
441 slprintf(msg, BUF_LEN, "RADIUS: wrong service type %ld for %s",
442 vp->lvalue, rstate.user);
446 case PW_FRAMED_PROTOCOL:
447 /* check for framed protocol type */
448 /* if not PPP then also exit */
449 if (vp->lvalue != PW_PPP) {
450 slprintf(msg, BUF_LEN, "RADIUS: wrong framed protocol %ld for %s",
451 vp->lvalue, rstate.user);
456 case PW_FRAMED_IP_ADDRESS:
457 /* seting up remote IP addresses */
459 if (remote == 0xffffffff) {
460 /* 0xffffffff means user should be allowed to select one */
461 rstate.any_ip_addr_ok = 1;
462 } else if (remote != 0xfffffffe) {
463 /* 0xfffffffe means NAS should select an ip address */
464 remote = htonl(vp->lvalue);
465 if (bad_ip_adrs (remote)) {
466 slprintf(msg, BUF_LEN, "RADIUS: bad remote IP address %I for %s",
467 remote, rstate.user);
470 rstate.choose_ip = 1;
471 rstate.ip_addr = remote;
481 /**********************************************************************
482 * %FUNCTION: radius_acct_start
488 * Sends a "start" accounting message to the RADIUS server.
489 ***********************************************************************/
491 radius_acct_start(void)
495 VALUE_PAIR *send = NULL;
496 ipcp_options *ho = &ipcp_hisoptions[0];
499 if (!rstate.initialized) {
503 rstate.start_time = time(NULL);
505 strncpy(rstate.session_id, rc_mksid(), sizeof(rstate.session_id));
507 rc_avpair_add(&send, PW_ACCT_SESSION_ID,
508 rstate.session_id, 0, VENDOR_NONE);
509 rc_avpair_add(&send, PW_USER_NAME,
510 rstate.user, 0, VENDOR_NONE);
512 av_type = PW_STATUS_START;
513 rc_avpair_add(&send, PW_ACCT_STATUS_TYPE, &av_type, 0, VENDOR_NONE);
516 rc_avpair_add(&send, PW_SERVICE_TYPE, &av_type, 0, VENDOR_NONE);
519 rc_avpair_add(&send, PW_FRAMED_PROTOCOL, &av_type, 0, VENDOR_NONE);
521 if (*remote_number) {
522 rc_avpair_add(&send, PW_CALLING_STATION_ID,
523 remote_number, 0, VENDOR_NONE);
527 rc_avpair_add(&send, PW_ACCT_AUTHENTIC, &av_type, 0, VENDOR_NONE);
531 rc_avpair_add(&send, PW_NAS_PORT_TYPE, &av_type, 0, VENDOR_NONE);
533 hisaddr = ho->hisaddr;
534 av_type = htonl(hisaddr);
535 rc_avpair_add(&send, PW_FRAMED_IP_ADDRESS , &av_type , 0, VENDOR_NONE);
537 if (rstate.acctserver) {
538 result = rc_acct_using_server(rstate.acctserver,
539 rstate.client_port, send);
541 result = rc_acct(rstate.client_port, send);
544 rc_avpair_free(send);
546 if (result != OK_RC) {
547 /* RADIUS server could be down so make this a warning */
549 "Accounting START failed for %s", rstate.user);
551 rstate.accounting_started = 1;
555 /**********************************************************************
556 * %FUNCTION: radius_acct_stop
562 * Sends a "stop" accounting message to the RADIUS server.
563 ***********************************************************************/
565 radius_acct_stop(void)
568 VALUE_PAIR *send = NULL;
569 ipcp_options *ho = &ipcp_hisoptions[0];
573 if (!rstate.initialized) {
577 if (!rstate.accounting_started) {
581 rstate.accounting_started = 0;
582 rc_avpair_add(&send, PW_ACCT_SESSION_ID, rstate.session_id,
585 rc_avpair_add(&send, PW_USER_NAME, rstate.user, 0, VENDOR_NONE);
587 av_type = PW_STATUS_STOP;
588 rc_avpair_add(&send, PW_ACCT_STATUS_TYPE, &av_type, 0, VENDOR_NONE);
591 rc_avpair_add(&send, PW_SERVICE_TYPE, &av_type, 0, VENDOR_NONE);
594 rc_avpair_add(&send, PW_FRAMED_PROTOCOL, &av_type, 0, VENDOR_NONE);
597 rc_avpair_add(&send, PW_ACCT_AUTHENTIC, &av_type, 0, VENDOR_NONE);
600 if (link_stats_valid) {
601 av_type = link_connect_time;
602 rc_avpair_add(&send, PW_ACCT_SESSION_TIME, &av_type, 0, VENDOR_NONE);
604 av_type = link_stats.bytes_out;
605 rc_avpair_add(&send, PW_ACCT_OUTPUT_OCTETS, &av_type, 0, VENDOR_NONE);
607 av_type = link_stats.bytes_in;
608 rc_avpair_add(&send, PW_ACCT_INPUT_OCTETS, &av_type, 0, VENDOR_NONE);
610 av_type = link_stats.pkts_out;
611 rc_avpair_add(&send, PW_ACCT_OUTPUT_PACKETS, &av_type, 0, VENDOR_NONE);
613 av_type = link_stats.pkts_in;
614 rc_avpair_add(&send, PW_ACCT_INPUT_PACKETS, &av_type, 0, VENDOR_NONE);
617 if (*remote_number) {
618 rc_avpair_add(&send, PW_CALLING_STATION_ID,
619 remote_number, 0, VENDOR_NONE);
623 rc_avpair_add(&send, PW_NAS_PORT_TYPE, &av_type, 0, VENDOR_NONE);
625 hisaddr = ho->hisaddr;
626 av_type = htonl(hisaddr);
627 rc_avpair_add(&send, PW_FRAMED_IP_ADDRESS , &av_type , 0, VENDOR_NONE);
629 if (rstate.acctserver) {
630 result = rc_acct_using_server(rstate.acctserver,
631 rstate.client_port, send);
633 result = rc_acct(rstate.client_port, send);
636 if (result != OK_RC) {
637 /* RADIUS server could be down so make this a warning */
639 "Accounting STOP failed for %s", rstate.user);
641 rc_avpair_free(send);
644 /**********************************************************************
645 * %FUNCTION: radius_ip_up
652 * Called when IPCP is up. We'll do a start-accounting record.
653 ***********************************************************************/
655 radius_ip_up(void *opaque, int arg)
660 /**********************************************************************
661 * %FUNCTION: radius_ip_down
668 * Called when IPCP is down. We'll do a stop-accounting record.
669 ***********************************************************************/
671 radius_ip_down(void *opaque, int arg)
676 /**********************************************************************
677 * %FUNCTION: radius_init
679 * msg -- buffer of size BUF_LEN for error message
681 * negative on failure; non-negative on success
683 * Initializes radiusclient library
684 ***********************************************************************/
686 radius_init(char *msg)
688 if (rstate.initialized) {
692 if (config_file && *config_file) {
693 strlcpy(rstate.config_file, config_file, MAXPATHLEN-1);
696 rstate.initialized = 1;
698 if (rc_read_config(rstate.config_file) != 0) {
699 slprintf(msg, BUF_LEN, "RADIUS: Can't read config file %s",
704 if (rc_read_dictionary(rc_conf_str("dictionary")) != 0) {
705 slprintf(msg, BUF_LEN, "RADIUS: Can't read dictionary file %s",
706 rc_conf_str("dictionary"));
710 if (rc_read_mapfile(rc_conf_str("mapfile")) != 0) {
711 slprintf(msg, BUF_LEN, "RADIUS: Can't read map file %s",
712 rc_conf_str("mapfile"));
718 /**********************************************************************
719 * %FUNCTION: get_client_port
721 * ifname -- PPP interface name (e.g. "ppp7")
723 * The NAS port number (e.g. 7)
725 * Extracts the port number from the interface name
726 ***********************************************************************/
728 get_client_port(char *ifname)
731 if (sscanf(ifname, "ppp%d", &port) == 1) {
734 return rc_map2id(ifname);
737 /**********************************************************************
738 * %FUNCTION: radius_allowed_address
742 * 1 if we're allowed to use that IP address; 0 if not; -1 if we do
744 ***********************************************************************/
746 radius_allowed_address(u_int32_t addr)
748 ipcp_options *wo = &ipcp_wantoptions[0];
750 if (!rstate.choose_ip) {
751 /* If RADIUS server said any address is OK, then fine... */
752 if (rstate.any_ip_addr_ok) {
756 /* Sigh... if an address was supplied for remote host in pppd
757 options, it has to match that. */
758 if (wo->hisaddr != 0 && wo->hisaddr == addr) {
764 if (addr == rstate.ip_addr) return 1;
768 /* Useful for other plugins */
769 char *radius_logged_in_user(void)