d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Send NAS-IP-Address as well as NAS-Identifier

Browse Source 
Add ``disable NAS-IP-Address'' and ``disable NAS-Identifier'' options to
support pre-rfc2865 RADIUS servers.
This pushes our enable/disable items over the 32 bit limit, so reoganise
things to allow a bunch more options.
Go to version 3.4.1 so that any compatability problems can be identified.
This commit is contained in:
brian 2004-11-29 17:11:15 +00:00
parent 6800033a3c
commit 5cb5074262
6 changed files with 120 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
usr.sbin/ppp/bundle.c
View File

@ -829,12 +829,15 @@ bundle_Create(const char *prefix, int type, int unit)
bundle.cfg.idle.min_timeout = 0;
*bundle.cfg.auth.name = '\0';
*bundle.cfg.auth.key = '\0';
bundle.cfg.opt = OPT_IDCHECK | OPT_LOOPBACK | OPT_SROUTES | OPT_TCPMSSFIXUP |
OPT_THROUGHPUT | OPT_UTMP;
bundle.cfg.optmask = (1ull << OPT_IDCHECK) | (1ull << OPT_LOOPBACK) |
(1ull << OPT_SROUTES) | (1ull << OPT_TCPMSSFIXUP) |
(1ull << OPT_THROUGHPUT) | (1ull << OPT_UTMP) |
(1ull << OPT_NAS_IP_ADDRESS) |
(1ull << OPT_NAS_IDENTIFIER);
#ifndef NOINET6
bundle.cfg.opt |= OPT_IPCP;
opt_enable(&bundle, OPT_IPCP);
if (probe.ipv6_available)
bundle.cfg.opt |= OPT_IPV6CP;
opt_enable(&bundle, OPT_IPV6CP);
#endif
*bundle.cfg.label = '\0';
bundle.cfg.ifqueue = DEF_IFQUEUE;
@ -870,7 +873,7 @@ bundle_Create(const char *prefix, int type, int unit)
bundle.filter.alive.name = "ALIVE";
bundle.filter.alive.logok = 1;
{
int i;
int i;
for (i = 0; i < MAXFILTERS; i++) {
bundle.filter.in.rule[i].f_action = A_NONE;
bundle.filter.out.rule[i].f_action = A_NONE;
@ -1050,9 +1053,9 @@ bundle_ShowLinks(struct cmdargs const *arg)
}
static const char *
optval(struct bundle *bundle, int bit)
optval(struct bundle *bundle, int opt)
{
return (bundle->cfg.opt & bit) ? "enabled" : "disabled";
return Enabled(bundle, opt) ? "enabled" : "disabled";
}
int
@ -1142,6 +1145,10 @@ bundle_ShowStatus(struct cmdargs const *arg)
optval(arg->bundle, OPT_THROUGHPUT));
prompt_Printf(arg->prompt, " Utmp Logging: %s\n",
optval(arg->bundle, OPT_UTMP));
prompt_Printf(arg->prompt, " NAS-IP-Address: %-20.20s",
optval(arg->bundle, OPT_NAS_IP_ADDRESS));
prompt_Printf(arg->prompt, " NAS-Identifier: %s\n",
optval(arg->bundle, OPT_NAS_IDENTIFIER));
return 0;
}

53
usr.sbin/ppp/bundle.h
View File

@ -33,27 +33,32 @@
#define PHASE_TERMINATE 4 /* Terminating link */
/* cfg.opt bit settings */
#define OPT_FILTERDECAP 0x0001
#define OPT_FORCE_SCRIPTS 0x0002 /* force chat scripts */
#define OPT_IDCHECK 0x0004
#define OPT_IFACEALIAS 0x0008
#define OPT_FILTERDECAP 1
#define OPT_FORCE_SCRIPTS 2 /* force chat scripts */
#define OPT_IDCHECK 3
#define OPT_IFACEALIAS 4
#ifndef NOINET6
#define OPT_IPCP 0x0010
#define OPT_IPV6CP 0x0020
#define OPT_IPCP 5
#define OPT_IPV6CP 6
#endif
#define OPT_KEEPSESSION 0x0040
#define OPT_LOOPBACK 0x0080
#define OPT_PASSWDAUTH 0x0100
#define OPT_PROXY 0x0200
#define OPT_PROXYALL 0x0400
#define OPT_SROUTES 0x0800
#define OPT_TCPMSSFIXUP 0x1000
#define OPT_THROUGHPUT 0x2000
#define OPT_UTMP 0x4000
#define OPT_KEEPSESSION 7
#define OPT_LOOPBACK 8
#define OPT_NAS_IP_ADDRESS 9
#define OPT_NAS_IDENTIFIER 10
#define OPT_PASSWDAUTH 11
#define OPT_PROXY 12
#define OPT_PROXYALL 13
#define OPT_SROUTES 14
#define OPT_TCPMSSFIXUP 15
#define OPT_THROUGHPUT 16
#define OPT_UTMP 17
#define OPT_MAX 17
#define MAX_ENDDISC_CLASS 5
#define Enabled(b, o) ((b)->cfg.opt & (o))
#define Enabled(b, o) ((b)->cfg.optmask & (1ull << (o)))
#define opt_enable(b, o) ((b)->cfg.optmask |= (1ull << (o)))
#define opt_disable(b, o) ((b)->cfg.optmask &= ~(1ull << (o)))
/* AutoAdjust() values */
#define AUTO_UP 1
@ -98,19 +103,19 @@ struct bundle {
struct {
struct {
unsigned timeout; /* NCP Idle timeout value */
unsigned min_timeout; /* Don't idle out before this */
unsigned timeout; /* NCP Idle timeout value */
unsigned min_timeout; /* Don't idle out before this */
} idle;
struct {
char name[AUTHLEN]; /* PAP/CHAP system name */
char key[AUTHLEN]; /* PAP/CHAP key */
char name[AUTHLEN]; /* PAP/CHAP system name */
char key[AUTHLEN]; /* PAP/CHAP key */
} auth;
unsigned opt; /* Uses OPT_ bits from above */
char label[50]; /* last thing `load'ed */
u_short ifqueue; /* Interface queue size */
unsigned long long optmask; /* Uses OPT_ bits from above */
char label[50]; /* last thing `load'ed */
u_short ifqueue; /* Interface queue size */
struct {
unsigned timeout; /* How long to leave the output queue choked */
unsigned timeout; /* How long to leave the output queue choked */
} choked;
} cfg;

38
usr.sbin/ppp/command.c
View File

@ -167,7 +167,7 @@
#define NEG_MPPE 54
#define NEG_CHAP81 55
const char Version[] = "3.4";
const char Version[] = "3.4.1";
static int ShowCommand(struct cmdargs const *);
static int TerminalCommand(struct cmdargs const *);
@ -2612,7 +2612,7 @@ NatEnable(struct cmdargs const *arg)
return 0;
} else if (strcasecmp(arg->argv[arg->argn], "no") == 0) {
arg->bundle->NatEnabled = 0;
arg->bundle->cfg.opt &= ~OPT_IFACEALIAS;
opt_disable(arg->bundle, OPT_IFACEALIAS);
/* Don't iface_Clear() - there may be manually configured addresses */
return 0;
}
@ -2757,24 +2757,32 @@ ident_cmd(const char *cmd, unsigned *keep, unsigned *add)
static int
OptSet(struct cmdargs const *arg)
{
int bit = (int)(long)arg->cmd->args;
unsigned keep; /* Keep these bits */
unsigned add; /* Add these bits */
int opt = (int)(long)arg->cmd->args;
unsigned keep; /* Keep this opt */
unsigned add; /* Add this opt */
if (ident_cmd(arg->argv[arg->argn - 2], &keep, &add) == NULL)
return 1;
#ifndef NOINET6
if (add == NEG_ENABLED && bit == OPT_IPV6CP && !probe.ipv6_available) {
if (add == NEG_ENABLED && opt == OPT_IPV6CP && !probe.ipv6_available) {
log_Printf(LogWARN, "IPv6 is not available on this machine\n");
return 1;
}
#endif
if (!add && ((opt == OPT_NAS_IP_ADDRESS &&
!Enabled(arg->bundle, OPT_NAS_IDENTIFIER)) ||
(opt == OPT_NAS_IDENTIFIER &&
!Enabled(arg->bundle, OPT_NAS_IP_ADDRESS)))) {
log_Printf(LogWARN,
"Cannot disable both NAS-IP-Address and NAS-Identifier\n");
return 1;
}
if (add)
arg->bundle->cfg.opt |= bit;
opt_enable(arg->bundle, opt);
else
arg->bundle->cfg.opt &= ~bit;
opt_disable(arg->bundle, opt);
return 0;
}
@ -2782,12 +2790,12 @@ OptSet(struct cmdargs const *arg)
static int
IfaceAliasOptSet(struct cmdargs const *arg)
{
unsigned save = arg->bundle->cfg.opt;
unsigned long long save = arg->bundle->cfg.optmask;
int result = OptSet(arg);
if (result == 0)
if (Enabled(arg->bundle, OPT_IFACEALIAS) && !arg->bundle->NatEnabled) {
arg->bundle->cfg.opt = save;
arg->bundle->cfg.optmask = save;
log_Printf(LogWARN, "Cannot enable iface-alias without NAT\n");
result = 2;
}
@ -2928,6 +2936,10 @@ static struct cmdtab const NegotiateCommands[] = {
"disable|enable", (const void *)OPT_KEEPSESSION},
{"loopback", NULL, OptSet, LOCAL_AUTH, "Loop packets for local iface",
"disable|enable", (const void *)OPT_LOOPBACK},
{"nas-ip-address", NULL, OptSet, LOCAL_AUTH, "Send NAS-IP-Address to RADIUS",
"disable|enable", (const void *)OPT_NAS_IP_ADDRESS},
{"nas-identifier", NULL, OptSet, LOCAL_AUTH, "Send NAS-Identifier to RADIUS",
"disable|enable", (const void *)OPT_NAS_IDENTIFIER},
{"passwdauth", NULL, OptSet, LOCAL_AUTH, "Use passwd file",
"disable|enable", (const void *)OPT_PASSWDAUTH},
{"proxy", NULL, OptSet, LOCAL_AUTH, "Create a proxy ARP entry",
@ -2944,9 +2956,9 @@ static struct cmdtab const NegotiateCommands[] = {
"disable|enable", (const void *)OPT_UTMP},
#ifndef NOINET6
#define OPT_MAX 14 /* accept/deny allowed below and not above */
#define NEG_OPT_MAX 16 /* accept/deny allowed below and not above */
#else
#define OPT_MAX 12
#define NEG_OPT_MAX 14
#endif
{"acfcomp", NULL, NegotiateSet, LOCAL_AUTH | LOCAL_CX,
@ -3018,7 +3030,7 @@ NegotiateCommand(struct cmdargs const *arg)
for (n = arg->argn; n < arg->argc; n++) {
argv[1] = arg->argv[n];
FindExec(arg->bundle, NegotiateCommands + (keep == NEG_HISMASK ?
0 : OPT_MAX), 2, 1, argv, arg->prompt, arg->cx);
0 : NEG_OPT_MAX), 2, 1, argv, arg->prompt, arg->cx);
}
} else if (arg->prompt)
prompt_Printf(arg->prompt, "Use `%s ?' to get a list.\n",

2
usr.sbin/ppp/main.c
View File

@ -393,7 +393,7 @@ main(int argc, char **argv)
SignalBundle = bundle;
bundle->NatEnabled = sw.nat;
if (sw.nat)
bundle->cfg.opt |= OPT_IFACEALIAS;
opt_enable(bundle, OPT_IFACEALIAS);
if (system_Select(bundle, "default", CONFFILE, prompt, NULL) < 0)
prompt_Printf(prompt, "Warning: No default entry found in config file.\n");

43
usr.sbin/ppp/ppp.8.m4
View File

@ -3067,6 +3067,49 @@ the other end.
It is convenient to have this option enabled when
the interface is also the default route as it avoids the necessity
of a loopback route.
.It NAS-IP-Address
Default: Enabled.
This option controls whether
.Nm
sends the
.Dq NAS-IP-Address
attribute to the RADIUS server when RADIUS is in use
.Pq see Dq set radius .
.Pp
Note, at least one of
.Dq NAS-IP-Address
and
.Dq NAS-Identifier
must be enabled.
.Pp
Versions of
.Nm
prior to version 3.4.1 did not send the
.Dq NAS-IP-Address
atribute as it was reported to break the Radiator RADIUS server.
As the latest rfc (2865) no longer hints that only one of
.Dq NAS-IP-Address
and
.Dq NAS-Identifier
should be sent (as rfc 2138 did),
.Nm
now sends both and leaves it up to the administrator that chooses to use
bad RADIUS implementations to
.Dq disable NAS-IP-Address .
.It NAS-Identifier
Default: Enabled.
This option controls whether
.Nm
sends the
.Dq NAS-Identifier
attribute to the RADIUS server when RADIUS is in use
.Pq see Dq set radius .
.Pp
Note, at least one of
.Dq NAS-IP-Address
and
.Dq NAS-Identifier
must be enabled.
.It passwdauth
Default: Disabled.
Enabling this option will tell the PAP authentication

20
usr.sbin/ppp/radius.c
View File

@ -856,10 +856,8 @@ radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name,
const char *what = "questionable"; /* silence warnings! */
char *mac_addr;
int got;
#if 0
struct hostent *hp;
struct in_addr hostaddr;
#endif
#ifndef NODES
struct mschap_response msresp;
struct mschap2_response msresp2;
@ -981,8 +979,8 @@ radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name,
if (gethostname(hostname, sizeof hostname) != 0)
log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno));
else {
#if 0
if ((hp = gethostbyname(hostname)) != NULL) {
if (Enabled(authp->physical->dl->bundle, OPT_NAS_IP_ADDRESS) &&
(hp = gethostbyname(hostname)) != NULL) {
hostaddr.s_addr = *(u_long *)hp->h_addr;
if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) {
log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
@ -991,8 +989,8 @@ radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name,
return 0;
}
}
#endif
if (rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
if (Enabled(authp->physical->dl->bundle, OPT_NAS_IDENTIFIER) &&
rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
rad_strerror(r->cx.rad));
rad_close(r->cx.rad);
@ -1059,10 +1057,8 @@ radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl,
int got;
char hostname[MAXHOSTNAMELEN];
char *mac_addr;
#if 0
struct hostent *hp;
struct in_addr hostaddr;
#endif
if (!*r->cfg.file)
return;
@ -1168,8 +1164,8 @@ radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl,
if (gethostname(hostname, sizeof hostname) != 0)
log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno));
else {
#if 0
if ((hp = gethostbyname(hostname)) != NULL) {
if (Enabled(dl->bundle, OPT_NAS_IP_ADDRESS) &&
(hp = gethostbyname(hostname)) != NULL) {
hostaddr.s_addr = *(u_long *)hp->h_addr;
if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) {
log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
@ -1178,8 +1174,8 @@ radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl,
return;
}
}
#endif
if (rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
if (Enabled(dl->bundle, OPT_NAS_IDENTIFIER) &&
rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
rad_strerror(r->cx.rad));
rad_close(r->cx.rad);