James Carlson [Sat, 2 Nov 2002 19:48:13 +0000 (19:48 +0000)]
Added EAP support with MD5-Challenge and SRP-SHA1 methods. Tested
on Linux (with both methods) and on Solaris (just MD5-Challenge).
Fixed several Makefiles that were missing references to required
modules such as tty.o.
Frank Cusack [Sun, 27 Oct 2002 11:46:24 +0000 (11:46 +0000)]
ccp_addci(): Restore behavior of only testing kernel support for the first
compression method being offered. That way the kernel will actually use
the method being offered ...
Frank Cusack [Sat, 12 Oct 2002 02:30:21 +0000 (02:30 +0000)]
Log calling number failed authorization at warn instead of error, to be
consistent with chap/pap failed authentication log level. (And it doesn't
merit "error".)
Frank Cusack [Sat, 12 Oct 2002 01:28:05 +0000 (01:28 +0000)]
- more authentication logging uniformity
. remove duplicate logging from auth.c, now in upap.c
. auth success logs at info, auth fail at warn, auth with_peer fail at error
- add remote number checks after authentication in case a plugin modifies
authorization info
- log remote number on successful/no auth
- streamline null termination of remote name for logging
Frank Cusack [Thu, 10 Oct 2002 05:47:34 +0000 (05:47 +0000)]
Add 'remotenumber' and 'allow-number' options, for CNID purposes.
In practice, the admin can configure allow-number settings, and getty
or other programs can call ppp with the remotenumber option. remotenumber
is also available to plugins; for example the radius plugin will pass this
on as the Calling-Station-Id attribute and the radius server can make an
authentication decision based on that.
Frank Cusack [Tue, 1 Oct 2002 09:51:01 +0000 (09:51 +0000)]
Send NAS-Identifier attribute instead of NAS-IP-Address, if configured.
Set some reasonable defaults for various options, if not supplied.
Patch from Ben McKeegan.
Frank Cusack [Tue, 24 Sep 2002 11:35:22 +0000 (11:35 +0000)]
Lose the poorly thought out OPT_A3OR option flag. Fix a CHAP negotiation bug
along the way -- if the peer nak'd with an chap digest we didn't support, we
would continue to offer our first choice digest.
Frank Cusack [Thu, 12 Sep 2002 05:41:49 +0000 (05:41 +0000)]
Add support for radius Class attribute. Possibly broken if chap is set to
re-authenticate and the radius server decides to change or add the Class
attribute on a subsequent (non-initial) authentication, but no more broken
than not handling it at all.
James Carlson [Mon, 9 Sep 2002 04:19:57 +0000 (04:19 +0000)]
484: make IPCP put all options in increasing numeric order in all cases.
Also fixed unrelated problem found during testing: the reqci handling
for the deprecated IP-Addresses option was setting go->ouraddr rather
than wo->ouraddr. This caused us to get confused about the meaning of
any subsequent Configure-{Ack,Reject} from the peer, since it made it
look as though the option was illegally modified by the peer.
James Carlson [Sat, 7 Sep 2002 05:15:25 +0000 (05:15 +0000)]
Added ability to detect and use either gcc or Sun WorkShop C compiler
on Solaris. Added support for Solaris 10. Quieted down warning in
ppp_comp.c due to bad preprocessor usage. Quieted WorkShop warnings
in options.c (casting of void * to function) and pppd.h (constant too
large). Tested in 32 and 64 bit modes with gcc and WorkShop.
make Octets-Direction flag accept value=4.
For NAS - it same as Octets-Direction = Maximum (3)
but on radius side maximum can be computed as
maximum in/out overal or per session/day/month/year...
David F. Skoll [Mon, 24 Jun 2002 12:57:15 +0000 (12:57 +0000)]
Patches from Frank Cusack:
- Avoid infinite loop (eventually running out of stack space) when doing
callback into ccp with MPPE enabled, by updating lcp_fsm state *before*
doing callbacks. Problem noted by Rustem Yumaev <rust@vostok-inc.com>.
- Add missing accounting attributes
- Update for newer automake; required to compile on RH 7.3
David F. Skoll [Mon, 10 Jun 2002 13:46:28 +0000 (13:46 +0000)]
Added "install-devel" Makefile target to install pppd headers required to
build pppd plugins. NOTE: Only works on Linux Makefiles; must be added for
other supported OS's.
David F. Skoll [Tue, 21 May 2002 17:26:49 +0000 (17:26 +0000)]
ECP patches from Frank Cusack:
- If encryption is required, don't bring up IP/IPv6/IPX until the
encryption negotiation has completed.
- Shut down LCP if the peer sends an LCP ConfRej instead of CCP ConfRej
to our MPPE offer. This fixes a bug where the server could not enforce
use of encryption in some cases.
- Don't send the M=<message> part of an MS-CHAPv2 success packet to peers
that don't know how to deal with it. This allows pre-win2k systems to
authenticate.
- Don't shut down lcp if MPPE was present in peer's CCP offer along with
other options. This allows pre-win2k systems to do MPPE (they offer
Stac LZS with MPPE).
- Add the beginnings of ecp.c.
- Other minor changes.
David F. Skoll [Fri, 1 Mar 2002 14:39:19 +0000 (14:39 +0000)]
Large patch from Frank Cusack <fcusack@fcusack.com> to add proper
support for MS-CHAP (client and server are now supported.)
Allow another plugin to select a different RADIUS server.
Modified radiusclient library to include two new APIs:
rc_acct_using_server and rc_auth_using_server in which caller specifies
which RADIUS servers to use, instead of using the default ones in the
config file. The /etc/radiusclient/servers file must still contain
secrets for those servers.
David F. Skoll [Tue, 12 Feb 2002 20:07:10 +0000 (20:07 +0000)]
Added new hooks:
snoop_send_hook and snoop_recv_hook allow plugins to watch the flow
of frames (typically we're interested in LCP frames). This is useful for
implementing L2TP, because the L2TP access concentrator would like to collect
some information from LCP and perhaps authentication protocols and forward
the information to the LNS.