dapphp / radius Goto Github PK

View Code? Open in Web Editor NEW

79.0 10.0 44.0 149 KB

A pure PHP RADIUS client based on SysCo/al implementation

License: GNU Lesser General Public License v3.0

PHP 100.00%

php-radius-client mschap mschapv2 chap rfc2865 radius

radius's People

Contributors

Stargazers

Watchers

Forkers

xeleniumz debjit jsleeg forked-repo digits88 fhferreira guoliang1994 wandoelmo multiotp shakeel-techlogicians hax0r1101 marsalans mportelag dlopescruz boberl henkpoley belleck65536 zstarpak minhtuancn catding guillaume-minesales klongchu jandro5 andreluis3205 cherlow rmdhfz romain25 vinitercariol hasibbd esvibox sergeygusakov jenarutamara diegotibi jessinthecloud huzhipan jordysm giorgio68 tvdijen hidasw mgionas imorteza quiet2

radius's Issues

Licence mismatch

Licence file suggests GPL 3
Composer file suggests LGPL

Could these be synced to the preferred licence

hi,
maybe we can bring our libs together in one solution with client & server with shared backend/classes? i know, my projects needs some tweaks too but maybe we can bring both sides to a solid base?!

https://github.com/skydiablo/SkyRadius

volker

Class 'Crypt_CHAP_MSv2' not found error when using composer autoload.php

I have checked and the Pear_CHAP.php file is available.
Any idea why this is happening?

Here's the code I'm using. The error occurs when using MSCHAPv2, PAP has been tested and works fine:

        $radius = new \Dapphp\Radius\Radius();
        $radius->setServer($radius_server['server'])
               ->setSecret($radius_server['shared_secret'])
               ->setNasIpAddress($radius_server['nas_ip_address']);

        /**
         * Send auth request, select method based on protocol value
         * can be PAP, CHAP, MSCHAPv1 or MSCHAPv2
         */
        switch ($radius_server['protocol']) {
            case 'PAP':
                $response = $radius->accessRequest($_REQUEST['radius_username'], $_REQUEST['radius_password']);
                break;
            case 'CHAP':
                $radius->setChapPassword($_REQUEST['radius_password']);
                $response = $radius->accessRequest($_REQUEST['radius_username']);
                break;
            case 'MSCHAPv1':
                $radius->setMSChapPassword($_REQUEST['radius_password']);
                $response = $radius->accessRequest($_REQUEST['radius_username']);
                break;
            case 'MSCHAPv2':
                $response = $radius->accessRequestEapMsChapV2($_REQUEST['radius_username'], $_REQUEST['radius_password']);
                break;
            default:
                $response = $radius->accessRequest($_REQUEST['radius_username'], $_REQUEST['radius_password']);
                break;
        }

Supplant PEAR_Chap dependency

The included PEAR_Chap library uses mcrypt which is deprecated as of PHP 7.1.

Come up with an alternative that uses OpenSSL or the minimal requirements from something like phpseclib or other userland library.

Please Help problem with connecting microtik

I been trying to connect microtik with the radius server and every time I'm execute this I been facing the same probem

Access-Request failed with error 28 (Timed out while waiting for RADIUS response).

Some one please let me know how to fix this error

RADIUS no longer works after upgrading php version to 8.1

@dapphp we were using PHP 7.4 for a while, recently migrated the entire application to PHP 8.1, everything works except RADIUS.

I suspect this has something to do with some of the deprecation and new requirements from PHP 8.0+ (e.g. certain functions such as strlen(), count(), trim() etc.. will no longer accept null values and so forth.)

We are basically dead in the water right now with our PHP version upgrade process, could be really cool if dapphp/radius be adapted to be compatible with PHP 8.0+, there is already a pull request in this regards, maybe it can be useful.

Problem with connecting microtik.

I been trying to connect microtik with the radius server and every time I'm execute this I been facing the same probem

Access-Request failed with error 28 (Timed out while waiting for RADIUS response).

Some one please let me know how to fix this error

Support for CoA

Hello,

not really the issue, more like feature request. Do you plan to add support for https://www.ietf.org/rfc/rfc3576.txt. I don't now about other radius servers but FreeRADIUS has a coa-relay feature. You can configure FreeRADIUS to receive CoA packets and redirect them to the NAS. It is especially usefull when FreeRADIUS is used along with SQL database, and there is a PHP application which saves users in this database. Using your class, an application could use method like disconnectRequest($username) to disconnect user from NAS.

If you don't plan to extend your class, could you consider to make methods like clearError, decodeAttribute, generateRequestAuthenticator, parseRadiusResponsePacket, readRadiusResponse, sendRadiusRequest protected, so the class could be easily extended ?

Best regards

dapphp/radius v2.5.5 can be installed in PHP 8

Hi, dapphp/radius v2.5.5 is not compatible with PHP 8, but it's possible to install the library in any PHP version.

The problem is php's version constraint in composer.json, the following code makes the library installable in ALL php versions:

{
 "require": {
        "php": ">=5.3 || <= 7.4"
    },
}

Please check: https://jubianchi.github.io/semver-check/#/%3E%3D5.3%20||%20%3C%3D%207.4/8.0.0

Instead you should write:

{
 "require": {
        "php": "^5.3 || ^7.0"
    },
}

Hope you can fix it, thanks.

Edit: I fixed a mistake in my code, it should be ^5.3 || ^7.0, not ^5.3 || ^7.3 :P

EAP-MS-CHAPv2 won't work with v2.5.5

Hi, after updating the project to dapphp/radius:v2.5.5 I couldn't login anymore.

The following code will will return VALID if I use v2.5.4 and will return INVALID when using v2.5.5.

<?php

use Dapphp\Radius\Radius;

include __DIR__ . '/vendor/autoload.php';

$radius = new Radius('172.18.0.7', 'hamster');
$radius->setAttribute(32, 'login');

$valid = $radius->accessRequestEapMsChapV2('sarah.connor', 'boombastic');

echo $valid ? 'VALID' : 'NOT VALID', PHP_EOL;

This is the log:

(100) mschap: Creating challenge hash with username: sarah.connor
,(100) mschap: Client is using MS-CHAPv2
,(100) mschap: Adding MS-CHAPv2 MPPE keys
,(100) eap_mschapv2:     [mschap] = ok
,(100) eap_mschapv2:   } # authenticate = ok
,(100) eap_mschapv2: MSCHAP Success
,(100) eap: Sending EAP Request (code 1) ID 98 length 51
,(100) eap: EAP session adding &reply:State = 0xe62cc2bbe74ed8b0
,(100)     [eap] = handled
,(100)   } # authenticate = handled
,(100) Using Post-Auth-Type Challenge
,(100) # Executing group from file /etc/freeradius/sites-enabled/default
,(100)   Challenge { ... } # empty sub-section is ignored
,(100) Sent Access-Challenge Id 1 from 172.18.0.7:1812 to 172.18.0.1:35088 length 0
,(100)   EAP-Message = 0x016200331a0361002e533d41464431364639423743464443424337303745383437463346423545463344433430343235343433
,(100)   Message-Authenticator = 0x00000000000000000000000000000000
,(100)   State = 0xe62cc2bbe74ed8b0f051d4599170f449
,(100) Finished request
,Waking up in 4.9 seconds.
,(101) Received Access-Request Id 2 from 172.18.0.1:54273 to 172.18.0.7:1812 length 85
,(101)   NAS-Identifier = "login"
,(101)   User-Name = "sarah.connor"
,(101)   EAP-Message = 0x026200061a03
,(101)   Message-Authenticator = 0xf29b0443c20ce662069030e66e625d84
,(101)   State = 0xe62cc2bbe64dd8b0f051d4599170f449
,(101) session-state: No cached attributes
,(101) # Executing section authorize from file /etc/freeradius/sites-enabled/default
,(101)   authorize {
,(101)     policy filter_username {
,(101)       if (&User-Name) {
,(101)       if (&User-Name)  -> TRUE
,(101)       if (&User-Name)  {
,(101)         if (&User-Name =~ / /) {
,(101)         if (&User-Name =~ / /)  -> FALSE
,(101)         if (&User-Name =~ /@[^@]*@/ ) {
,(101)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
,(101)         if (&User-Name =~ /\.\./ ) {
,(101)         if (&User-Name =~ /\.\./ )  -> FALSE
,(101)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
,(101)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
,(101)         if (&User-Name =~ /\.$/)  {
,(101)         if (&User-Name =~ /\.$/)   -> FALSE
,(101)         if (&User-Name =~ /@\./)  {
,(101)         if (&User-Name =~ /@\./)   -> FALSE
,(101)       } # if (&User-Name)  = notfound
,(101)     } # policy filter_username = notfound
,(101)     [preprocess] = ok
,(101)     [chap] = noop
,(101)     [mschap] = noop
,(101)     [digest] = noop
,(101) suffix: Checking for suffix after "@"
,(101) suffix: No '@' in User-Name = "sarah.connor", looking up realm NULL
,(101) suffix: No such realm "NULL"
,(101)     [suffix] = noop
,(101) eap: Peer sent EAP Response (code 2) ID 98 length 6
,(101) eap: No EAP Start, assuming it's an on-going EAP conversation
,(101)     [eap] = updated
,(101) files: users: Matched entry sarah.connor at line 1
,(101)     [files] = ok
,(101)     [expiration] = noop
,(101)     [logintime] = noop
,(101) pap: WARNING: Auth-Type already set.  Not setting to PAP
,(101)     [pap] = noop
,(101)   } # authorize = updated
,(101) Found Auth-Type = eap
,(101) # Executing group from file /etc/freeradius/sites-enabled/default
,(101)   authenticate {
,(101) eap: Expiring EAP session with state 0x19a129b618f7335a
,(101) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0xe62cc2bbe64dd8b0
,(101) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
,(101) eap: Failed in handler
,(101)     [eap] = invalid
,(101)   } # authenticate = invalid
,(101) Failed to authenticate the user
,(101) Using Post-Auth-Type Reject
,(101) # Executing group from file /etc/freeradius/sites-enabled/default
,(101)   Post-Auth-Type REJECT {
,(101) attr_filter.access_reject: EXPAND %{User-Name}
,(101) attr_filter.access_reject:    --> sarah.connor
,(101) attr_filter.access_reject: Matched entry DEFAULT at line 11
,(101)     [attr_filter.access_reject] = updated
,(101) eap: Expiring EAP session with state 0x19a129b618f7335a
,(101) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0xe62cc2bbe64dd8b0
,(101) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
,(101) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
,(101)     [eap] = noop
,(101)     policy remove_reply_message_if_eap {
,(101)       if (&reply:EAP-Message && &reply:Reply-Message) {
,(101)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
,(101)       else {
,(101)         [noop] = noop
,(101)       } # else = noop
,(101)     } # policy remove_reply_message_if_eap = noop
,(101)   } # Post-Auth-Type REJECT = updated
,(101) Delaying response for 1.000000 seconds
,Waking up in 0.3 seconds.
,Waking up in 0.6 seconds.
,(101) Sending delayed response
,(101) Sent Access-Reject Id 2 from 172.18.0.7:1812 to 172.18.0.1:54273 length 20
,Waking up in 3.9 seconds.

Hope you can fix it, thanks.

EAP-MSCHAP v2 Issues With FreeRadius?

Trying to use the code to integrate a simple radius tester into an app and when I try to hit my freeradius server with mschapv2 test I get the following returned:

Access-Request failed with error 102 (EAP type is not EAP_MS_AUTH in access response).

If I use any other radius tester it works just fine.

        $client = new Radius();

        // set server, secret, and basic attributes
        $client->setServer( $config->auth_server_ip ) // RADIUS server address
               ->setAuthenticationPort( $config->auth_server_port )
               ->setSecret( $config->shared_secret )
               ->setTimeout( 30
               ->setDebug(true);

        // EAP-MSCHAP v2 authentication
        $authenticated = $client->accessRequestEapMsChapV2('radtest', '!radtest!');

        if ($authenticated === false) {
            // false returned on failure
            echo sprintf(
                "Access-Request failed with error %d (%s).\n",
                $client->getErrorCode(),
                $client->getErrorMessage()
            );
        } else {
            // access request was accepted - client authenticated successfully
            echo "Success!  Received Access-Accept response from RADIUS server.\n";
            $attributes = getReceivedAttributes();
            dd($attributes);
        }

2020-06-15 04:04:46 DEBUG: Added Attribute 1 (User-Name), format S, value radtest
2020-06-15 04:04:46 DEBUG: Added Attribute 79 (EAP-Message), format S, value ���radtest
2020-06-15 04:04:46 DEBUG: Added Attribute 80 (Message-Authenticator), format S, value 
2020-06-15 04:04:46 DEBUG: Added Attribute 6 (Service-Type), format I, value 1
2020-06-15 04:04:46 DEBUG: Packet type 1 (Access-Request) sent to 192.168.10.29
2020-06-15 04:04:46 DEBUG: Attribute 1 (User-Name), length (7), format S, value radtest
2020-06-15 04:04:46 DEBUG: Attribute 79 (EAP-Message), length (12), format S, value ���radtest
2020-06-15 04:04:46 DEBUG: Attribute 80 (Message-Authenticator), length (16), format S, value 
2020-06-15 04:04:46 DEBUG: Attribute 6 (Service-Type), length (4), format I, value 1
2020-06-15 04:04:46 DEBUG: Packet type 11 (Access-Challenge) received
2020-06-15 04:04:46 DEBUG: Attribute 79 (EAP-Message), length 6, format S, value ���� 
2020-06-15 04:04:46 DEBUG: Attribute 80 (Message-Authenticator), length 16, format S, value �%��y0�?O*�X�k/w
2020-06-15 04:04:46 DEBUG: Attribute 24 (State), length 16, format S, value ��B��*[�����0�Ez
Access-Request failed with error 102 (EAP type is not EAP_MS_AUTH in access response).

Composer psr-0 autoloading

During a new composer update I got the following notification:

123 Deprecation Notice: Class Crypt_CHAP_MD5 located in ./vendor/dapphp/radius/lib/Pear_CHAP.php does not comply with psr-0 autoloading standard. It will not autoload anymore in Composer v2.0. in phar:///usr/local/bin/composer/src/Composer/Autoload/ClassMapGenerator.php:201
124 Deprecation Notice: Class Crypt_CHAP_MSv1 located in ./vendor/dapphp/radius/lib/Pear_CHAP.php does not comply with psr-0 autoloading standard. It will not autoload anymore in Composer v2.0. in phar:///usr/local/bin/composer/src/Composer/Autoload/ClassMapGenerator.php:201
125 Deprecation Notice: Class Crypt_CHAP_MSv2 located in ./vendor/dapphp/radius/lib/Pear_CHAP.php does not comply with psr-0 autoloading standard. It will not autoload anymore in Composer v2.0. in phar:///usr/local/bin/composer/src/Composer/Autoload/ClassMapGenerator.php:201

I saw the same issue got fixed 2 years ago.
Composer 2.0 is not gonna support the fix anymore.

Does this include accounting?

Or, is it only authentication?

accounting request

How to use TYPE_ACCOUNTING_REQUEST?

New Tagged Release

Hi,

There hasn't been a tagged release since 2018. This makes using this package a little more awkward than it should. For example, if using PHP >= 7.4 then composer.json must specify master or exact commit IDs to get newer code than the 'current release' (see commit cfea576).

There have been many commits since 2018. Is it not time for a new tagged release?

Best,
Liam

ability to populate NAS-IPv6-Address instead of NAS-IP-Address

function Radius::setNasIpAddress() always tries to populate the NAS-IP-Address attribute, which is IPv4 only.

When invoking the lib from an IPv6 host without arguments, or the hostname as argument, this will resolve the hostname to its IPv4 address, and incorrectly create a RADIUS packet that has an IPv4 address in NAS-IP-Address, even though the request is /actually/ sent over IPv6

When invoking the lib from an IPv6 host with an explicit IPv6 address or a $_SERVER['SERVER_ADDR'] like 2001:db8::1, the function will fail because the input is neither a reswolvable hostname nor an IPv4 address.

Suggestions:

improve the function to detect IPv6 addresses in its first parameter, and populate the NAS-IPv6-Address attribute instead of NAS-IP-Address if so
for bonus points: if no argument, or argument is a hostname, determine the address family the code is currently executed on, and resolve the hostname to the matching family, and populate the corresponding attribute

No attribute 77

Hello!

Could you add attribute 77 (Connect-Info) or make it possible to add custom attributes?

[Feature request] multiple servers support

Hello,

I am currently using your library which fulfills its role perfectly. I would like to know if you would be able to add support for multiple servers?

My network has two Network Policy Servers, one on each domain controller. Currently I have specified the primary NPS as the RADIUS server but this is a problem in the event when the DC1 goes down (failure or maintenance). The ideal would be to be able to specify several servers (in my case with the same secret) so the library can try to join at least a second server if the first one can not be reached.

What do you think of this idea ?

Cannot authentificate with a specific special character in password

Hi,

I'm using the version 2.5.4 of your library. When a user try to authentificate with a password containing the £ character, the authentification fails.

I used a Windows Server 2016 and the password is working within the domain.

Best regards,

adding new client..

i need to add new client with ip address and secret .. can it be added? if yes then how? if not then can it be available in upcoming version??

for consistency, add Message-Authenticator for PAP authentication, too

The code sets the Message-Authenticator attribute for MSCHAP and EAP-MSCHAPv2 but not for simple PAP.

While per RFC Message-Authenticator is optional for PAP, many clients and servers set it as a BCP.

So, how about adding one single LOC with a ->setIncludeMessageAuthenticator() in the PAP authentication function?