|
1
|
<?php
|
|
2
|
/* vim: set expandtab tabstop=4 shiftwidth=4: */
|
|
3
|
/*
|
|
4
|
|
|
5
|
$Id$
|
|
6
|
|
|
7
|
Copyright (c) 2006, Jonathan De Graeve <jonathan.de.graeve@imelda.be>
|
|
8
|
All rights reserved.
|
|
9
|
|
|
10
|
Redistribution and use in source and binary forms, with or without
|
|
11
|
modification, are permitted provided that the following conditions
|
|
12
|
are met:
|
|
13
|
|
|
14
|
1. Redistributions of source code must retain the above copyright
|
|
15
|
notice, this list of conditions and the following disclaimer.
|
|
16
|
2. Redistributions in binary form must reproduce the above copyright
|
|
17
|
notice, this list of conditions and the following disclaimer in the
|
|
18
|
documentation and/or other materials provided with the distribution.
|
|
19
|
3. The names of the authors may not be used to endorse or promote products
|
|
20
|
derived from this software without specific prior written permission.
|
|
21
|
|
|
22
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
|
23
|
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
24
|
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
25
|
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
|
26
|
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
27
|
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
28
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
|
|
29
|
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
30
|
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
|
|
31
|
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
32
|
|
|
33
|
This code cannot simply be copied and put under the GNU Public License or
|
|
34
|
any other GPL-like (LGPL, GPL2) License.
|
|
35
|
|
|
36
|
This code is made possible thx to samples made by Michael Bretterklieber <michael@bretterklieber.com>
|
|
37
|
author of the PHP PECL Radius package
|
|
38
|
|
|
39
|
*/
|
|
40
|
|
|
41
|
/*
|
|
42
|
pfSense_MODULE: captiveportal
|
|
43
|
*/
|
|
44
|
|
|
45
|
/*
|
|
46
|
RADIUS ACCOUNTING START
|
|
47
|
-----------------------
|
|
48
|
*/
|
|
49
|
|
|
50
|
function RADIUS_ACCOUNTING_START($ruleno, $username, $sessionid, $radiusservers, $clientip, $clientmac) {
|
|
51
|
|
|
52
|
global $config;
|
|
53
|
|
|
54
|
$retvalue = array();
|
|
55
|
$nas_mac = mac_format(get_interface_mac($config['interfaces']['wan']['if']));
|
|
56
|
$clientmac = mac_format($clientmac);
|
|
57
|
$nas_port = $ruleno;
|
|
58
|
$radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
|
|
59
|
|
|
60
|
switch($radiusvendor) {
|
|
61
|
|
|
62
|
case 'cisco':
|
|
63
|
$calledstationid = $clientmac;
|
|
64
|
$callingstationid = $clientip;
|
|
65
|
break;
|
|
66
|
|
|
67
|
default:
|
|
68
|
$calledstationid = $nas_mac;
|
|
69
|
$callingstationid = $clientmac;
|
|
70
|
}
|
|
71
|
|
|
72
|
// Create our instance
|
|
73
|
$racct = new Auth_RADIUS_Acct_Start;
|
|
74
|
|
|
75
|
/* Different Authentication options
|
|
76
|
*
|
|
77
|
* Its possible todo other authentication methods but still do radius accounting
|
|
78
|
*
|
|
79
|
* RADIUS_AUTH_RADIUS => authenticated via Radius
|
|
80
|
* RADIUS_AUTH_LOCAL => authenticated local
|
|
81
|
* RADIUS_AUTH_REMOTE => authenticated remote
|
|
82
|
*
|
|
83
|
*/
|
|
84
|
$racct->authentic = RADIUS_AUTH_RADIUS;
|
|
85
|
|
|
86
|
// Construct data package
|
|
87
|
$racct->username = $username;
|
|
88
|
/*
|
|
89
|
Add support for more then one radiusserver.
|
|
90
|
At most 10 servers may be specified.
|
|
91
|
When multiple servers are given, they are tried in round-robin fashion until a valid response is received
|
|
92
|
*/
|
|
93
|
foreach ($radiusservers as $radsrv) {
|
|
94
|
// Add a new server to our instance
|
|
95
|
$racct->addServer($radsrv['ipaddr'], $radsrv['acctport'], $radsrv['key']);
|
|
96
|
}
|
|
97
|
|
|
98
|
if (PEAR::isError($racct->start())) {
|
|
99
|
$retvalue['acct_val'] = 1;
|
|
100
|
$retvalue['error'] = $racct->getMessage();
|
|
101
|
|
|
102
|
// If we encounter an error immediately stop this function and go back
|
|
103
|
$racct->close();
|
|
104
|
return $retvalue;
|
|
105
|
|
|
106
|
/* Old code:
|
|
107
|
* $status = $racct->start();
|
|
108
|
* if(PEAR::isError($status)) {
|
|
109
|
* if ($debug)
|
|
110
|
* printf("Radius start: %s<br>\n", $status->getMessage());
|
|
111
|
* exit;
|
|
112
|
* }
|
|
113
|
*/
|
|
114
|
}
|
|
115
|
|
|
116
|
/*
|
|
117
|
* NAS_PORT_TYPE, int => RADIUS_ETHERNET (15), RADIUS_WIRELESS_OTHER (18), RADIUS_WIRELESS_IEEE_802_11 (19)
|
|
118
|
*/
|
|
119
|
|
|
120
|
// Default attributes
|
|
121
|
$racct->putAttribute(RADIUS_SERVICE_TYPE, RADIUS_LOGIN);
|
|
122
|
$racct->putAttribute(RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET);
|
|
123
|
$racct->putAttribute(RADIUS_NAS_PORT, $nas_port);
|
|
124
|
$racct->putAttribute(RADIUS_ACCT_SESSION_ID, $sessionid);
|
|
125
|
|
|
126
|
// Extra data to identify the client and nas
|
|
127
|
$racct->putAttribute(RADIUS_FRAMED_IP_ADDRESS, $clientip, "addr");
|
|
128
|
$racct->putAttribute(RADIUS_CALLED_STATION_ID, $calledstationid);
|
|
129
|
$racct->putAttribute(RADIUS_CALLING_STATION_ID, $callingstationid);
|
|
130
|
|
|
131
|
// Send request
|
|
132
|
$result = $racct->send();
|
|
133
|
|
|
134
|
// Evaluation of the response
|
|
135
|
// 5 -> Accounting-Response
|
|
136
|
// See RFC2866 for this.
|
|
137
|
if (PEAR::isError($result)) {
|
|
138
|
$retvalue['acct_val'] = 1;
|
|
139
|
$retvalue['error'] = $result->getMessage();
|
|
140
|
|
|
141
|
} else if ($result === true) {
|
|
142
|
$retvalue['acct_val'] = 5 ;
|
|
143
|
|
|
144
|
} else {
|
|
145
|
$retvalue['acct_val'] = 1 ;
|
|
146
|
|
|
147
|
}
|
|
148
|
|
|
149
|
// close OO RADIUS_ACCOUNTING
|
|
150
|
$racct->close();
|
|
151
|
|
|
152
|
return $retvalue ;
|
|
153
|
|
|
154
|
}
|
|
155
|
|
|
156
|
/*
|
|
157
|
RADIUS ACCOUNTING STOP/UPDATE
|
|
158
|
-----------------------------
|
|
159
|
*/
|
|
160
|
|
|
161
|
function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusservers,$clientip,$clientmac, $term_cause = 1, $interimupdate=false,$stop_time = null) {
|
|
162
|
|
|
163
|
global $config;
|
|
164
|
|
|
165
|
$retvalue = array();
|
|
166
|
$nas_mac = mac_format(get_interface_mac($config['interfaces']['wan']['if']));
|
|
167
|
$clientmac = mac_format($clientmac);
|
|
168
|
$nas_port = $ruleno;
|
|
169
|
$radiusvendor = $config['captiveportal']['radiusvendor'] ? $config['captiveportal']['radiusvendor'] : null;
|
|
170
|
$stop_time = (empty($stop_time)) ? time() : $stop_time;
|
|
171
|
$session_time = $stop_time - $start_time;
|
|
172
|
$volume = getVolume($clientip);
|
|
173
|
$volume['input_bytes_radius'] = remainder($volume['input_bytes']);
|
|
174
|
$volume['input_gigawords'] = gigawords($volume['input_bytes']);
|
|
175
|
$volume['output_bytes_radius'] = remainder($volume['output_bytes']);
|
|
176
|
$volume['output_gigawords'] = gigawords($volume['output_bytes']);
|
|
177
|
|
|
178
|
switch($radiusvendor) {
|
|
179
|
|
|
180
|
case 'cisco':
|
|
181
|
$calledstationid = $clientmac;
|
|
182
|
$callingstationid = $clientip;
|
|
183
|
break;
|
|
184
|
|
|
185
|
default:
|
|
186
|
$calledstationid = $nas_mac;
|
|
187
|
$callingstationid = $clientmac;
|
|
188
|
}
|
|
189
|
|
|
190
|
// Create our instance, see if we should use Accounting Interim Updates or Accounting STOP messages
|
|
191
|
if ($interimupdate)
|
|
192
|
$racct = new Auth_RADIUS_Acct_Update;
|
|
193
|
else
|
|
194
|
$racct = new Auth_RADIUS_Acct_Stop;
|
|
195
|
|
|
196
|
/*
|
|
197
|
Add support for more then one radiusserver.
|
|
198
|
At most 10 servers may be specified.
|
|
199
|
When multiple servers are given, they are tried in round-robin fashion until a valid response is received
|
|
200
|
*/
|
|
201
|
foreach ($radiusservers as $radsrv) {
|
|
202
|
// Add a new server to our instance
|
|
203
|
$racct->addServer($radsrv['ipaddr'], $radsrv['acctport'], $radsrv['key']);
|
|
204
|
}
|
|
205
|
|
|
206
|
// See RADIUS_ACCOUNTING_START for info
|
|
207
|
$racct->authentic = RADIUS_AUTH_RADIUS;
|
|
208
|
|
|
209
|
// Construct data package
|
|
210
|
$racct->username = $username;
|
|
211
|
// Set session_time
|
|
212
|
$racct->session_time = $session_time;
|
|
213
|
|
|
214
|
if (PEAR::isError($racct->start())) {
|
|
215
|
$retvalue['acct_val'] = 1;
|
|
216
|
$retvalue['error'] = $racct->getMessage();
|
|
217
|
|
|
218
|
// If we encounter an error immediately stop this function and go back
|
|
219
|
$racct->close();
|
|
220
|
return $retvalue;
|
|
221
|
}
|
|
222
|
|
|
223
|
// The RADIUS PECL Package doesn't have this vars so we create them ourself
|
|
224
|
define("RADIUS_ACCT_INPUT_GIGAWORDS", "52");
|
|
225
|
define("RADIUS_ACCT_OUTPUT_GIGAWORDS", "53");
|
|
226
|
|
|
227
|
// Default attributes
|
|
228
|
$racct->putAttribute(RADIUS_SERVICE_TYPE, RADIUS_LOGIN);
|
|
229
|
$racct->putAttribute(RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET);
|
|
230
|
$racct->putAttribute(RADIUS_NAS_PORT, $nas_port);
|
|
231
|
$racct->putAttribute(RADIUS_ACCT_SESSION_ID, $sessionid);
|
|
232
|
|
|
233
|
// Extra data to identify the client and nas
|
|
234
|
$racct->putAttribute(RADIUS_FRAMED_IP_ADDRESS, $clientip, "addr");
|
|
235
|
$racct->putAttribute(RADIUS_CALLED_STATION_ID, $calledstationid);
|
|
236
|
$racct->putAttribute(RADIUS_CALLING_STATION_ID, $callingstationid);
|
|
237
|
|
|
238
|
// Volume stuff: Ingress
|
|
239
|
$racct->putAttribute(RADIUS_ACCT_INPUT_PACKETS, $volume['input_pkts'], "integer");
|
|
240
|
$racct->putAttribute(RADIUS_ACCT_INPUT_OCTETS, $volume['input_bytes_radius'], "integer");
|
|
241
|
$racct->putAttribute(RADIUS_ACCT_INPUT_GIGAWORDS, $volume['input_gigawords'], "integer");
|
|
242
|
// Volume stuff: Outgress
|
|
243
|
$racct->putAttribute(RADIUS_ACCT_OUTPUT_PACKETS, $volume['output_pkts'], "integer");
|
|
244
|
$racct->putAttribute(RADIUS_ACCT_OUTPUT_OCTETS, $volume['output_bytes_radius'], "integer");
|
|
245
|
$racct->putAttribute(RADIUS_ACCT_OUTPUT_GIGAWORDS, $volume['output_gigawords'], "integer");
|
|
246
|
$racct->putAttribute(RADIUS_ACCT_SESSION_TIME, $session_time, "integer");
|
|
247
|
|
|
248
|
if (!$interimupdate)
|
|
249
|
$racct->putAttribute(RADIUS_ACCT_TERMINATE_CAUSE, $term_cause);
|
|
250
|
|
|
251
|
// Send request
|
|
252
|
$result = $racct->send();
|
|
253
|
|
|
254
|
// Evaluation of the response
|
|
255
|
// 5 -> Accounting-Response
|
|
256
|
// See RFC2866 for this.
|
|
257
|
if (PEAR::isError($result)) {
|
|
258
|
$retvalue['acct_val'] = 1;
|
|
259
|
$retvalue['error'] = $result->getMessage();
|
|
260
|
|
|
261
|
} else if ($result === true) {
|
|
262
|
$retvalue['acct_val'] = 5 ;
|
|
263
|
|
|
264
|
} else {
|
|
265
|
$retvalue['acct_val'] = 1 ;
|
|
266
|
|
|
267
|
}
|
|
268
|
|
|
269
|
// close OO RADIUS_ACCOUNTING
|
|
270
|
$racct->close();
|
|
271
|
|
|
272
|
return $retvalue;
|
|
273
|
|
|
274
|
}
|
|
275
|
|
|
276
|
|
|
277
|
/**
|
|
278
|
* Radius Volume Helpers
|
|
279
|
*
|
|
280
|
*/
|
|
281
|
|
|
282
|
function gigawords($bytes) {
|
|
283
|
|
|
284
|
|
|
285
|
/*
|
|
286
|
* RFC2866 Specifies a 32bit unsigned integer, which is a max of 4294967295
|
|
287
|
* Currently there is a fault in the PECL radius_put_int function which can handle only 32bit signed integer.
|
|
288
|
*/
|
|
289
|
|
|
290
|
// We use BCMath functions since normal integers don't work with so large numbers
|
|
291
|
$gigawords = bcdiv( bcsub( $bytes, remainder($bytes) ) , 4294967295) ;
|
|
292
|
|
|
293
|
// We need to manually set this to a zero instead of NULL for put_int() safety
|
|
294
|
if (is_null($gigawords)) {
|
|
295
|
$gigawords = 0;
|
|
296
|
}
|
|
297
|
|
|
298
|
return $gigawords;
|
|
299
|
|
|
300
|
}
|
|
301
|
|
|
302
|
function remainder($bytes) {
|
|
303
|
|
|
304
|
// Calculate the bytes we are going to send to the radius
|
|
305
|
$bytes = bcmod($bytes, 4294967295);
|
|
306
|
|
|
307
|
if (is_null($bytes)) {
|
|
308
|
$bytes = 0;
|
|
309
|
}
|
|
310
|
|
|
311
|
|
|
312
|
return $bytes;
|
|
313
|
|
|
314
|
}
|
|
315
|
|
|
316
|
?>
|