Commit Graph

22 Commits

Author SHA1 Message Date
novel
60802ef7dc Add a new option for ppp.conf: rad_port_id. It allows to
change the way of what ppp submits to the RADIUS server
as NAS-Port-Id. Possible options are: the PID of the process
owning the corresponding interface, tun(4) interface number,
interface index (as it would get returned by if_nametoindex(3)),
or it's possible to keep the default behavior. Check the ppp(8)
manual page for details.

PR:		bin/112764
Submitted by:	novel (myself)
Reviewed by:	flz
Approved by:	flz
MFC after:	1 month
2007-05-25 13:45:49 +00:00
brian
20455e62c2 Add a radius_Flush() function that waits for the response (or timeout) to
any pending RADIUS transaction.  Use this before sending RAD_STOP RADIUS
messages so that we definitely ``stop'' the session.

It was discovered that sometimes when the link timed out, we got lucky
enough to have an un-ACK'd RADIUS accounting transaction in progress,
resulting in the RAD_STOP message failing to send.

Original report found on:	A russion news group
Text translated by:		glebius
Tested by:			Alexey Popov llp at iteranet dot com
MFC after:			7 days
2005-01-27 14:09:33 +00:00
brian
e2c3152e77 Support a ``set rad_alive N'' command to enable periodic RADIUS accounting
information being sent to the RADIUS server.

Logging of RADIUS accounting information moves to a ``set log [+-]radius''
level, along with the RADIUS alive info, and the version number is bumped
to 3.2 to reflect this.

Mostly submitted by:	alx@sm.ukrtel.net (back in January)
MFC after:		3 weeks
2004-07-17 01:07:53 +00:00
ume
7407066674 name union. 2003-06-28 15:37:04 +00:00
ume
181d2a900a IPV6PREFIX is set when Framed-IPv6-Prefix is defined, You may
want to pass the value to upper layer protocol such as DHCPv6
for prefix delegation.

MFC after:	1 week
2003-06-20 16:15:59 +00:00
ume
29e5dc90df Do RADIUS accounting on IPV6CP.
MFC after:	1 week
2003-06-19 18:55:49 +00:00
ume
3a0fbd5a35 Oops, I put unused variable in my previous commit.
MFC after:	1 week
2003-06-19 18:28:37 +00:00
ume
b702eda642 Install routes specified by Framed-IPv6-Route. Since the format
of Framed-IPv6-Route is user defined, it follows Framed-IP-route.

MFC after:	1 week
2003-06-19 18:19:31 +00:00
brian
50179a5819 Compensate for dodgy Win98/WinME MSCHAPv2 responses later in the code
path... after we've talked to any RADIUS servers involved, so that we
haven't touched the data before it gets to the server.

Make it clearer in the code that this compensation is done by setting
a flag to a value of zero, a flag which rfc2759 says *MUST* be zero.

While we're here, don't bother passing the peer challenge into
radius_Authenticate().  It's already part of the key we're passing in
(this becomes obvious now that I've structured that data...).

This ``fix'' doesn't help to authenticate Win98/WinME users in my test
environment as ports/net/freeradius seems to ignore the flag
completely anyway, but it may help with other RADIUS servers.
2002-06-17 01:12:38 +00:00
brian
72243fc694 Remove whitespace at the end of lines. 2002-06-15 08:03:30 +00:00
brian
64df596967 Understand the following Microsoft Vendor Specific RADIUS attributes:
RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY
  RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES
  RAD_MICROSOFT_MS_MPPE_RECV_KEY
  RAD_MICROSOFT_MS_MPPE_SEND_KEY

These attributes may be supplied by a RADIUS server when MSCHAPv2 is
used to authenticate.

It *should* now be possible to build ppp with -DNODES and still support
CHAP/MSCHAP/MSCHAPv2/MPPE via a RADIUS server, but the code isn't yet
smart enough to do that (building with -DNODES just looses these
facilities).

Sponsored by: Monzoon
2002-06-12 00:33:17 +00:00
brian
6efbe1505f Handle MS-CHAPv2 authentication correctly via the RADIUS server (if it's
configured).
Handle internal failures in radius_Authenticate() correctly.
Bump the ppp version number.

This doesn't yet work with MPPE.  More will follow.

Sponsored by: Mozoon
2002-05-16 13:34:20 +00:00
brian
1947582c12 Add support for MS-CHAP authentication via a RADIUS server.
Add support for Reply-Message and MS-CHAP-Error.

Sponsored by:	Monzoon
2002-05-10 03:11:35 +00:00
brian
920f339ee0 Understand the Session-Timeout RADIUS attribute
Store the Filter-Id attribute (we don't do anything with it yet)

Submitted mostly by: andrew pavlov <and@kremenchug.net>
2002-05-07 10:06:54 +00:00
hosokawa
cce077344b Get tun P2P address from the local pool if RADIUS server returned
255.255.255.254 as client ipaddr.

Reviewed-By:	freebsd-net mailing list
2002-04-04 08:43:00 +00:00
brian
9e1dc5332d Don't assume challenges and responses don't contain embedded '\0's.
Mschapv2 response generation may produce embedded NULs... causing
us to send a bogus response to the radius server and end up
failing the client's valid response.

Problem pointed out by: Eugene Vigovskiy <vigov@com2com.ru>
2001-04-01 22:39:17 +00:00
brian
298eccdc14 MAXPATHLEN -> PATH_MAX
Don't assume MAXHOSTNAMELEN includes the NUL
Correct a diagnostic
Use "localhost" in our prompt instead of ""
2001-03-08 23:51:50 +00:00
brian
cb1cdc90fa Support radius accounting, and add a packet count to throughput
statistics as a side effect.

Submitted by: Marcin Cieslak <saper@system.pl>

with some tweaks to RAD_ACCT_SESSION_ID and
RAD_ACCT_MULTI_SESSION_ID generation by me.
2000-08-28 22:44:54 +00:00
brian
9c5b52bb1f To avoid namespace polution in NetBSD:
``struct descriptor'' -> ``struct fdescriptor''
2000-03-14 01:46:09 +00:00
peter
efabb9ccb1 $Id$ -> $FreeBSD$ 1999-08-28 01:35:59 +00:00
brian
4435d086fa Decouple pap & chap output routines from the corresponding
input routines and take advantage of the new init/continue
interface in libradius.  This allows a timely response on
other links in an MP setup while RADIUS requests are in
progress as well as the ability to handle other data from
the peer in parallel.  It should also make the future addition
of PAM support trivial.

While I'm in there, validate pap & chap header IDs if
``idcheck'' is enabled (the default) for other FSM packet
types.

NOTE: This involved integrating the generation of chap
      challenges and the validation of chap responses
      (and commenting what's going on in those routines).
      I currently have no way of testing ppps ability
      to respond to M$Chap CHALLENGEs correctly, so if
      someone could do the honours, it'd be much
      appreciated (it *looks* ok!).

Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
brian
c970e06ccf Initial RADIUS support (using libradius). See the man page for
details.  Compiling with -DNORADIUS (the default for `release')
removes support.

TODO: The functionality in libradius::rad_send_request() needs
      to be supplied as a set of routines so that ppp doesn't
      have to wait indefinitely for the radius server(s).  Instead,
      we need to get a descriptor back, select() on the descriptor,
      and ask libradius to service it when necessary.
      For now, ppp blocks SIGALRM while in rad_send_request(), so
      it misses PAP/CHAP retries & timeouts if they occur.

      Only PAP is functional.  When CHAP is attempted, libradius
      complains that no User-Password has been specified... rfc2138
      says that it *mustn't* be used for CHAP :-(

Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00