Commit Graph

44 Commits

Author SHA1 Message Date
Diomidis Spinellis
dfb3194a21 Send RADIUS gigaword data when OctetsIn or OctetsOut go over UINT32_MAX.
PR:		bin/61294
Submitted by:	Boris Kovalenko
MFC after:	3 weeks
2004-05-19 21:00:42 +00:00
Hajimu UMEMOTO
2cc2a59d85 name union. 2003-06-28 15:37:04 +00:00
Hajimu UMEMOTO
ec3e98b8de IPV6PREFIX is set when Framed-IPv6-Prefix is defined, You may
want to pass the value to upper layer protocol such as DHCPv6
for prefix delegation.

MFC after:	1 week
2003-06-20 16:15:59 +00:00
Hajimu UMEMOTO
cf7c10d0b4 Do RADIUS accounting on IPV6CP.
MFC after:	1 week
2003-06-19 18:55:49 +00:00
Hajimu UMEMOTO
0fe74aa4e3 Install routes specified by Framed-IPv6-Route. Since the format
of Framed-IPv6-Route is user defined, it follows Framed-IP-route.

MFC after:	1 week
2003-06-19 18:19:31 +00:00
Brian Somers
6eafd35305 Include the correct file (stdarg.h) and use va_list rather than _BSD_VA_LIST_
Suggested by: mike
2002-08-27 20:11:58 +00:00
Brian Somers
4dc4e1ee89 Back out the previous revision
Objected to by: Andre Oppermann <oppermann@pipeline.ch>

After Andre's objection, I've re-examined rfc 2759 and noted that it
says that the domain name shouldn't be used when generating the
NT-Response field.  So it looks like the bug is in freeradius rather
than in ppp.
2002-07-04 23:33:35 +00:00
Brian Somers
27dc75f10c If we've given a domain name prefix as the authentication name, strip
it off before passing it on to the RADIUS server for authentication.
2002-07-03 20:51:13 +00:00
Brian Somers
579abfd895 Complain about (and fix) misformatted RADIUS attributes rather than silently
fixing them.
2002-06-28 09:18:15 +00:00
Brian Somers
99cfc2e2b2 Add a hack to handle RADIUS responses from peers that forget that
there's an ``Ident'' field in the MS-CHAP2-Response and
MS-CHAP-Error attributes.

The RADIATOR server seems to be guilty of this.
2002-06-23 23:38:06 +00:00
Brian Somers
250be50b72 Compensate for dodgy Win98/WinME MSCHAPv2 responses later in the code
path... after we've talked to any RADIUS servers involved, so that we
haven't touched the data before it gets to the server.

Make it clearer in the code that this compensation is done by setting
a flag to a value of zero, a flag which rfc2759 says *MUST* be zero.

While we're here, don't bother passing the peer challenge into
radius_Authenticate().  It's already part of the key we're passing in
(this becomes obvious now that I've structured that data...).

This ``fix'' doesn't help to authenticate Win98/WinME users in my test
environment as ports/net/freeradius seems to ignore the flag
completely anyway, but it may help with other RADIUS servers.
2002-06-17 01:12:38 +00:00
Brian Somers
10be78d3ae Remove whitespace at the end of lines. 2002-06-15 08:03:30 +00:00
Brian Somers
61fe3f63bc Remove a forgotten diagnostic 2002-06-15 01:35:03 +00:00
Brian Somers
a95b23a6b2 Don't forget to process the Ident field on the front of
RAD_MICROSOFT_MS_CHAP_ERROR and RAD_MICROSOFT_MS_CHAP2_SUCCESS
messages, and remove the hack in chap.c to ignore that ident field
on the client side.

This anomoly was hacked around during development, and I forgot to
go back and fix it properly.

Spotted by: Sergey Korolew <ds@rt.balakovo.ru>
2002-06-12 21:36:07 +00:00
Brian Somers
8fb5ef5ae2 Understand the following Microsoft Vendor Specific RADIUS attributes:
RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY
  RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES
  RAD_MICROSOFT_MS_MPPE_RECV_KEY
  RAD_MICROSOFT_MS_MPPE_SEND_KEY

These attributes may be supplied by a RADIUS server when MSCHAPv2 is
used to authenticate.

It *should* now be possible to build ppp with -DNODES and still support
CHAP/MSCHAP/MSCHAPv2/MPPE via a RADIUS server, but the code isn't yet
smart enough to do that (building with -DNODES just looses these
facilities).

Sponsored by: Monzoon
2002-06-12 00:33:17 +00:00
Brian Somers
12b5aaba39 Cast pid_t to long for printf()ing
Obtained from:	OpenBSD
2002-06-06 01:39:46 +00:00
Brian Somers
aadbb4eab1 Don't send a RAD_NAS_IP_ADDRESS attribute as RAD_NAS_IDENTIFIER is
sufficient.

In fact, using both breaks the radiator RADIUS daemon when used with
a db as it maps both attributes to the same field value and then
fails the insert.

I decided to remove RAD_NAS_IP_ADDRESS on the basis that rfc2138 says:

      An Access-Request MUST contain a User-Name attribute.  It SHOULD
      contain either a NAS-IP-Address attribute or NAS-Identifier
      attribute (or both, although that is not recommended).  It MUST

despite the fact that this not recommended bit was removed from the
updated rfc.
2002-06-02 14:27:02 +00:00
Brian Somers
a16061b236 Handle MS-CHAPv2 authentication correctly via the RADIUS server (if it's
configured).
Handle internal failures in radius_Authenticate() correctly.
Bump the ppp version number.

This doesn't yet work with MPPE.  More will follow.

Sponsored by: Mozoon
2002-05-16 13:34:20 +00:00
Brian Somers
de59e178aa o Clean up some #includes
o Bump version number to 3.0.4
o When talking to a RADIUS server, provide a NAS-Port-Type.

  When the NAS-Port-Type is Ethernet, provide a NAS-Port value equal
  to the SESSIONID from the environment in direct mode or the
  NGM_PPPOE_SESSIONID message in other modes.  If no SESSIONID is found,
  default to the interface index in client mode or zero in server mode.

  When the NAS-Port-Type is ISDN, set the NAS-Port to the minor number
  of the physical device (ie, the N in /dev/i4brbchN).

  This makes it easier for the RADIUS server to identify the client
  WRT accounting data etc.

Prompted by:	lsz8425 <lsz8425@mail.cd.hn.cn>
2002-05-14 12:55:39 +00:00
Brian Somers
ff8e577bc6 Add support for MS-CHAP authentication via a RADIUS server.
Add support for Reply-Message and MS-CHAP-Error.

Sponsored by:	Monzoon
2002-05-10 03:11:35 +00:00
Brian Somers
bf1eaec5e8 Understand the Session-Timeout RADIUS attribute
Store the Filter-Id attribute (we don't do anything with it yet)

Submitted mostly by: andrew pavlov <and@kremenchug.net>
2002-05-07 10:06:54 +00:00
Brian Somers
30949fd4b5 o Add ipv6 support, abstracting most NCP addresses into opaque
structures (well, they're treated as opaque).

  It's now possible to manage IPv6 interface addresses and routing
  table entries and to filter IPV6 traffic whether encapsulated or
  not.

  IPV6CP support is crude for now, and hasn't been tested against
  any other implementations.

  RADIUS and IPv6 are independent of eachother for now.

  ppp.linkup/ppp.linkdown aren't currently used by IPV6CP

o Understand all protocols(5) in filter rules rather than only a select
  few.

o Allow a mask specification for the ``delete'' command.  It's now
  possible to specifically delete one of two conflicting routes.

o When creating and deleting proxy arp entries, do it for all IPv4
  interface addresses rather than doing it just for the ``current''
  peer address.

o When iface-alias isn't in effect, don't blow away manually (via ``iface
  add'') added interface addresses.

o When listening on a tcp server (diagnostic) socket, bind so that a
  tcp46 socket is created -- allowing both IPv4 and IPv6 connections.

o When displaying ICMP traffic, don't display the icmp type twice.
  When display traffic, display at least some information about unrecognised
  traffic.

o Bump version

Inspired after filtering work by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
2001-08-14 16:05:52 +00:00
Brian Somers
50ca6ec387 Don't assume challenges and responses don't contain embedded '\0's.
Mschapv2 response generation may produce embedded NULs... causing
us to send a bogus response to the radius server and end up
failing the client's valid response.

Problem pointed out by: Eugene Vigovskiy <vigov@com2com.ru>
2001-04-01 22:39:17 +00:00
Brian Somers
26e6a622c0 MAXHOSTNAME includes space for a NUL 2001-03-09 20:31:02 +00:00
Brian Somers
5284761414 MAXPATHLEN -> PATH_MAX
Don't assume MAXHOSTNAMELEN includes the NUL
Correct a diagnostic
Use "localhost" in our prompt instead of ""
2001-03-08 23:51:50 +00:00
Brian Somers
c42627ffff Don't send an authentication failure response if we fail sending
a radius accounting packet.
2001-02-04 01:08:26 +00:00
Brian Somers
74457d3d43 Allow ``set server closed'' to close the diagnostic socket.
Allow ``set server open'' to re-open the diagnostic socket.
Handle SIGUSR1 by re-opening the diagnostic socket
When receiving SIGUSR2 (and in ``set server none''), don't forget the
socket details so that ``set server open'' and SIGUSR1 open it again.

Don't create the diagnostic socket as uid 0 !  It's far to dangerous.
2001-01-26 01:41:34 +00:00
Brian Somers
ba093e813d Use rad_acct_open() instead of rad_auth_open().
Suggested by: Victor Ivanov <v0rbiz@icon.bg>
2000-10-15 01:05:57 +00:00
Brian Somers
794c9bbc80 Support radius accounting, and add a packet count to throughput
statistics as a side effect.

Submitted by: Marcin Cieslak <saper@system.pl>

with some tweaks to RAD_ACCT_SESSION_ID and
RAD_ACCT_MULTI_SESSION_ID generation by me.
2000-08-28 22:44:54 +00:00
Brian Somers
8e7bd08ea4 Correct some typos introduced in the descriptor -> fdescriptor change. 2000-03-14 01:47:07 +00:00
Brian Somers
10e629b937 Introduce LOCALNAT and LOCALRAD defines so that the sources can stay
exactly the same in FreeBSD & OpenBSD despite libalias and libradius
being local to the ppp sources under OpenBSD.
2000-03-14 01:47:02 +00:00
Brian Somers
6b4579784c The interface list that comes back from the PF_ROUTE/NET_RT_IFLIST mib
is aligned.  Teach this to ``show route''.

Clean up some of the sockaddr parsing routines.
2000-03-14 01:46:44 +00:00
Brian Somers
f013f33ee2 To avoid namespace polution in NetBSD:
``struct descriptor'' -> ``struct fdescriptor''
2000-03-14 01:46:09 +00:00
Brian Somers
c39aa54ec8 Notice and warn about unterminated quoted strings in commands.
The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
Brian Somers
b9391689ee Back out the bogus #ifdef __NetBSD__ #include <signal.h> lines.
The original report was due to a mis-installation of the NetBS
header files :-/

Submitted by:	 Kazuyoshi Kato <kazk@yyy.or.jp>
1999-09-21 19:37:00 +00:00
Brian Somers
7e795ebe38 NetBSD has moved ``extern int errno;'' to signal.h :-/
Submitted by:	Kazuyoshi Kato <kazk@yyy.or.jp>
1999-09-20 07:36:46 +00:00
Brian Somers
f10f520361 When sending radius authentication requests:
Supply RAD_NAS_IDENTIFIER if we have a `hostname` and
  RAD_IP_ADDRESS if that hostname resolves.

  Supply RAD_NAS_PORT using the ttyslot() of the tty that
  we're authenticating on if it's a tty device.

Partially submitted by: Andriy I Pilipenko <bamby@marka.net.ua>
PR:			12225
1999-09-03 10:31:34 +00:00
Peter Wemm
97d92980a9 $Id$ -> $FreeBSD$ 1999-08-28 01:35:59 +00:00
Brian Somers
5d9e610366 o Redesign the layering mechanism and make the aliasing code part of
the layering.

  We now ``stack'' layers as soon as we open the device (when we figure
  out what we're dealing with).  A static set of `dispatch' routines are
  also declared for dealing with incoming packets after they've been
  `pulled' up through the stacked layers.

  Physical devices are now assigned handlers based on the device type
  when they're opened.  For the moment there are three device types;
  ttys, execs and tcps.

o Increment version number to 2.2
o Make an entry in [uw]tmp for non-tty -direct invocations (after
  pap/chap authentication).
o Make throughput counters quad_t's
o Account for the absolute number of mbuf malloc()s and free()s in
  ``show mem''.
o ``show modem'' becomes ``show physical''.
1999-05-08 11:07:56 +00:00
Brian Somers
28e610e378 int -> size_t 1999-04-21 08:13:25 +00:00
Brian Somers
bc76350ef9 Correct some ntohl/htonl bogons in the netmask handling.
This was pretty harmless as netmasks on a POINTOPOINT
interface are pretty much ignored, but it looked funny.

Mention the configured netmask in ``show ipcp''.

Describe in more detail what a proxy arp entry is.
1999-03-03 23:00:41 +00:00
Brian Somers
f0cdd9c021 Decouple pap & chap output routines from the corresponding
input routines and take advantage of the new init/continue
interface in libradius.  This allows a timely response on
other links in an MP setup while RADIUS requests are in
progress as well as the ability to handle other data from
the peer in parallel.  It should also make the future addition
of PAM support trivial.

While I'm in there, validate pap & chap header IDs if
``idcheck'' is enabled (the default) for other FSM packet
types.

NOTE: This involved integrating the generation of chap
      challenges and the validation of chap responses
      (and commenting what's going on in those routines).
      I currently have no way of testing ppps ability
      to respond to M$Chap CHALLENGEs correctly, so if
      someone could do the honours, it'd be much
      appreciated (it *looks* ok!).

Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
Brian Somers
82d6780c9e o Send a CHAP challenge of 16 random digits when RADIUS is
configured.  This isn't strictly necessary according to the
  rfc, but it's suggested there....
o Don't forget to include our authname when sending a
  CHAP challenge when RADIUS is configured.
o Don't supply the ``16'' representing the chap answer
  length to radius_Authenticate() - libradius does this
  for us.
o When we successfully authenticate via radius_Authenticate(),
  continue with datalink_AuthOk() as expected.

Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-29 22:46:31 +00:00
Brian Somers
972a1bcf5d Initial RADIUS support (using libradius). See the man page for
details.  Compiling with -DNORADIUS (the default for `release')
removes support.

TODO: The functionality in libradius::rad_send_request() needs
      to be supplied as a set of routines so that ppp doesn't
      have to wait indefinitely for the radius server(s).  Instead,
      we need to get a descriptor back, select() on the descriptor,
      and ask libradius to service it when necessary.
      For now, ppp blocks SIGALRM while in rad_send_request(), so
      it misses PAP/CHAP retries & timeouts if they occur.

      Only PAP is functional.  When CHAP is attempted, libradius
      complains that no User-Password has been specified... rfc2138
      says that it *mustn't* be used for CHAP :-(

Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00