Revision 3b832418
Added by Cyrill B over 12 years ago
| usr/local/captiveportal/index.php | ||
|---|---|---|
| 1 | 1 |
<?php |
| 2 | 2 |
/* |
| 3 |
$Id$
|
|
| 4 |
part of m0n0wall (http://m0n0.ch/wall)
|
|
| 5 |
|
|
| 6 |
Copyrigth (C) 2009 Ermal Lu?i
|
|
| 7 |
Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
|
|
| 8 |
All rights reserved.
|
|
| 9 |
|
|
| 10 |
Redistribution and use in source and binary forms, with or without
|
|
| 11 |
modification, are permitted provided that the following conditions are met:
|
|
| 12 |
|
|
| 13 |
1. Redistributions of source code must retain the above copyright notice,
|
|
| 14 |
this list of conditions and the following disclaimer.
|
|
| 15 |
|
|
| 16 |
2. Redistributions in binary form must reproduce the above copyright
|
|
| 17 |
notice, this list of conditions and the following disclaimer in the
|
|
| 18 |
documentation and/or other materials provided with the distribution.
|
|
| 19 |
|
|
| 20 |
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
| 21 |
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
| 22 |
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
| 23 |
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
|
| 24 |
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
| 25 |
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
| 26 |
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
| 27 |
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
| 28 |
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
| 29 |
POSSIBILITY OF SUCH DAMAGE.
|
|
| 3 |
$Id$
|
|
| 4 |
part of m0n0wall (http://m0n0.ch/wall)
|
|
| 5 |
|
|
| 6 |
Copyrigth (C) 2009 Ermal Lu?i
|
|
| 7 |
Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
|
|
| 8 |
All rights reserved.
|
|
| 9 |
|
|
| 10 |
Redistribution and use in source and binary forms, with or without
|
|
| 11 |
modification, are permitted provided that the following conditions are met:
|
|
| 12 |
|
|
| 13 |
1. Redistributions of source code must retain the above copyright notice,
|
|
| 14 |
this list of conditions and the following disclaimer.
|
|
| 15 |
|
|
| 16 |
2. Redistributions in binary form must reproduce the above copyright
|
|
| 17 |
notice, this list of conditions and the following disclaimer in the
|
|
| 18 |
documentation and/or other materials provided with the distribution.
|
|
| 19 |
|
|
| 20 |
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
| 21 |
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
| 22 |
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
| 23 |
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
|
| 24 |
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
| 25 |
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
| 26 |
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
| 27 |
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
| 28 |
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
| 29 |
POSSIBILITY OF SUCH DAMAGE.
|
|
| 30 | 30 |
*/ |
| 31 | 31 |
/* |
| 32 | 32 |
pfSense_MODULE: captiveportal |
| ... | ... | |
| 79 | 79 |
} |
| 80 | 80 |
|
| 81 | 81 |
if ($orig_host != $ourhostname) {
|
| 82 |
/* the client thinks it's connected to the desired web server, but instead
|
|
| 83 |
it's connected to us. Issue a redirect... */
|
|
| 82 |
/* the client thinks it's connected to the desired web server, but instead
|
|
| 83 |
it's connected to us. Issue a redirect... */
|
|
| 84 | 84 |
|
| 85 |
if (isset($cpcfg['httpslogin']))
|
|
| 86 |
header("Location: https://{$ourhostname}/index.php?zone={$cpzone}&redirurl=" . urlencode("http://{$orig_host}/{$orig_request}"));
|
|
| 87 |
else
|
|
| 88 |
header("Location: http://{$ourhostname}/index.php?zone={$cpzone}&redirurl=" . urlencode("http://{$orig_host}/{$orig_request}"));
|
|
| 85 |
if (isset($cpcfg['httpslogin']))
|
|
| 86 |
header("Location: https://{$ourhostname}/index.php?zone={$cpzone}&redirurl=" . urlencode("http://{$orig_host}/{$orig_request}"));
|
|
| 87 |
else
|
|
| 88 |
header("Location: http://{$ourhostname}/index.php?zone={$cpzone}&redirurl=" . urlencode("http://{$orig_host}/{$orig_request}"));
|
|
| 89 | 89 |
|
| 90 |
ob_flush();
|
|
| 91 |
return;
|
|
| 90 |
ob_flush();
|
|
| 91 |
return;
|
|
| 92 | 92 |
} |
| 93 | 93 |
if (!empty($cpcfg['redirurl'])) |
| 94 | 94 |
$redirurl = $cpcfg['redirurl']; |
| ... | ... | |
| 104 | 104 |
if ($macfilter || $passthrumac) {
|
| 105 | 105 |
$tmpres = pfSense_ip_to_mac($clientip); |
| 106 | 106 |
if (!is_array($tmpres)) {
|
| 107 |
/* unable to find MAC address - shouldn't happen! - bail out */
|
|
| 108 |
captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR");
|
|
| 109 |
echo "An error occurred. Please check the system logs for more information.";
|
|
| 110 |
log_error("Captive portal could not determine client's MAC address. Disable MAC address filtering in captive portal if you do not need this functionality.");
|
|
| 111 |
ob_flush();
|
|
| 112 |
return;
|
|
| 107 |
/* unable to find MAC address - shouldn't happen! - bail out */
|
|
| 108 |
captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR");
|
|
| 109 |
echo "An error occurred. Please check the system logs for more information.";
|
|
| 110 |
log_error("Captive portal could not determine client's MAC address. Disable MAC address filtering in captive portal if you do not need this functionality.");
|
|
| 111 |
ob_flush();
|
|
| 112 |
return;
|
|
| 113 | 113 |
} |
| 114 | 114 |
$clientmac = $tmpres['macaddr']; |
| 115 | 115 |
unset($tmpres); |
| ... | ... | |
| 117 | 117 |
|
| 118 | 118 |
/* find out if we need RADIUS + RADIUSMAC or not */ |
| 119 | 119 |
if (file_exists("{$g['vardb_path']}/captiveportal_radius_{$cpzone}.db")) {
|
| 120 |
$radius_enable = TRUE;
|
|
| 121 |
if (isset($cpcfg['radmac_enable']))
|
|
| 122 |
$radmac_enable = TRUE;
|
|
| 120 |
$radius_enable = TRUE;
|
|
| 121 |
if (isset($cpcfg['radmac_enable']))
|
|
| 122 |
$radmac_enable = TRUE;
|
|
| 123 | 123 |
} |
| 124 | 124 |
|
| 125 | 125 |
/* find radius context */ |
| ... | ... | |
| 145 | 145 |
|
| 146 | 146 |
EOD; |
| 147 | 147 |
captiveportal_disconnect_client($_POST['logout_id']); |
| 148 |
|
|
| 148 | 149 |
} else if ($clientmac && $radmac_enable && portal_mac_radius($clientmac,$clientip, $radiusctx)) {
|
| 149 |
/* radius functions handle everything so we exit here since we're done */
|
|
| 150 |
/* radius functions handle everything so we exit here since we're done */
|
|
| 150 | 151 |
|
| 151 | 152 |
} else if (portal_consume_passthrough_credit($clientmac)) {
|
| 152 |
/* allow the client through if it had a pass-through credit for its MAC */
|
|
| 153 |
captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
|
|
| 154 |
portal_allow($clientip, $clientmac, "unauthenticated");
|
|
| 153 |
/* allow the client through if it had a pass-through credit for its MAC */
|
|
| 154 |
captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
|
|
| 155 |
portal_allow($clientip, $clientmac, "unauthenticated");
|
|
| 155 | 156 |
|
| 156 | 157 |
} else if (isset($config['voucher'][$cpzone]['enable']) && $_POST['accept'] && $_POST['auth_voucher']) {
|
| 157 |
|
|
| 158 |
$voucher = trim($_POST['auth_voucher']); |
|
| 159 |
$timecredit = voucher_auth($voucher); |
|
| 160 |
// $timecredit contains either a credit in minutes or an error message |
|
| 161 |
if ($timecredit > 0) { // voucher is valid. Remaining minutes returned
|
|
| 162 |
// if multiple vouchers given, use the first as username |
|
| 163 |
$a_vouchers = preg_split("/[\t\n\r ]+/s",$voucher);
|
|
| 164 |
$voucher = $a_vouchers[0]; |
|
| 165 |
$attr = array( 'voucher' => 1, |
|
| 166 |
'session_timeout' => $timecredit*60, |
|
| 167 |
'session_terminate_time' => 0); |
|
| 168 |
if (portal_allow($clientip, $clientmac,$voucher,null,$attr)) {
|
|
| 169 |
|
|
| 170 |
// YES: user is good for $timecredit minutes. |
|
| 171 |
captiveportal_logportalauth($voucher,$clientmac,$clientip,"Voucher login good for $timecredit min."); |
|
| 172 |
} else {
|
|
| 173 |
portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg); |
|
| 174 |
} |
|
| 175 |
} else if (-1 == $timecredit) { // valid but expired
|
|
| 176 |
captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE","voucher expired"); |
|
| 177 |
portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg); |
|
| 178 |
} else {
|
|
| 179 |
captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE"); |
|
| 180 |
portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgnoaccess'] ? $config['voucher'][$cpzone]['msgnoaccess'] : $errormsg); |
|
| 181 |
} |
|
| 158 |
$voucher = trim($_POST['auth_voucher']); |
|
| 159 |
$timecredit = voucher_auth($voucher); |
|
| 160 |
// $timecredit contains either a credit in minutes or an error message |
|
| 161 |
if ($timecredit > 0) { // voucher is valid. Remaining minutes returned
|
|
| 162 |
// if multiple vouchers given, use the first as username |
|
| 163 |
$a_vouchers = preg_split("/[\t\n\r ]+/s",$voucher);
|
|
| 164 |
$voucher = $a_vouchers[0]; |
|
| 165 |
$attr = array( 'voucher' => 1, |
|
| 166 |
'session_timeout' => $timecredit*60, |
|
| 167 |
'session_terminate_time' => 0); |
|
| 168 |
if (portal_allow($clientip, $clientmac,$voucher,null,$attr)) {
|
|
| 169 |
// YES: user is good for $timecredit minutes. |
|
| 170 |
captiveportal_logportalauth($voucher,$clientmac,$clientip,"Voucher login good for $timecredit min."); |
|
| 171 |
} else {
|
|
| 172 |
portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg); |
|
| 173 |
} |
|
| 174 |
} else if (-1 == $timecredit) { // valid but expired
|
|
| 175 |
captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE","voucher expired"); |
|
| 176 |
portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg); |
|
| 177 |
} else {
|
|
| 178 |
captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE"); |
|
| 179 |
portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgnoaccess'] ? $config['voucher'][$cpzone]['msgnoaccess'] : $errormsg); |
|
| 180 |
} |
|
| 182 | 181 |
|
| 183 | 182 |
} else if ($_POST['accept'] && $radius_enable) {
|
| 184 |
|
|
| 185 |
if (($_POST['auth_user'] && $_POST['auth_pass']) || ($_POST['auth_user2'] && $_POST['auth_pass2'])) {
|
|
| 186 |
if (!empty($_POST['auth_user'])) {
|
|
| 187 |
$user = $_POST['auth_user']; |
|
| 188 |
$paswd = $_POST['auth_pass']; |
|
| 189 |
} else if (!empty($_POST['auth_user2'])) {
|
|
| 190 |
$user = $_POST['auth_user2']; |
|
| 191 |
$paswd = $_POST['auth_pass2']; |
|
| 192 |
} |
|
| 193 |
$auth_list = radius($user,$paswd,$clientip,$clientmac,"USER LOGIN", $radiusctx); |
|
| 194 |
$type = "error"; |
|
| 195 |
if (!empty($auth_list['url_redirection'])) {
|
|
| 196 |
$redirurl = $auth_list['url_redirection']; |
|
| 197 |
$type = "redir"; |
|
| 183 |
if (($_POST['auth_user'] && $_POST['auth_pass']) || ($_POST['auth_user2'] && $_POST['auth_pass2'])) {
|
|
| 184 |
if (!empty($_POST['auth_user'])) {
|
|
| 185 |
$user = $_POST['auth_user']; |
|
| 186 |
$paswd = $_POST['auth_pass']; |
|
| 187 |
} else if (!empty($_POST['auth_user2'])) {
|
|
| 188 |
$user = $_POST['auth_user2']; |
|
| 189 |
$paswd = $_POST['auth_pass2']; |
|
| 190 |
} |
|
| 191 |
$auth_list = radius($user,$paswd,$clientip,$clientmac,"USER LOGIN", $radiusctx); |
|
| 192 |
$type = "error"; |
|
| 193 |
if (!empty($auth_list['url_redirection'])) {
|
|
| 194 |
$redirurl = $auth_list['url_redirection']; |
|
| 195 |
$type = "redir"; |
|
| 196 |
} |
|
| 197 |
|
|
| 198 |
if ($auth_list['auth_val'] == 1) {
|
|
| 199 |
captiveportal_logportalauth($user,$clientmac,$clientip,"ERROR",$auth_list['error']); |
|
| 200 |
portal_reply_page($redirurl, $type, $auth_list['error'] ? $auth_list['error'] : $errormsg); |
|
| 201 |
} else if ($auth_list['auth_val'] == 3) {
|
|
| 202 |
captiveportal_logportalauth($user,$clientmac,$clientip,"FAILURE",$auth_list['reply_message']); |
|
| 203 |
portal_reply_page($redirurl, $type, $auth_list['reply_message'] ? $auth_list['reply_message'] : $errormsg); |
|
| 204 |
} |
|
| 205 |
} else {
|
|
| 206 |
if (!empty($_POST['auth_user'])) |
|
| 207 |
$user = $_POST['auth_user']; |
|
| 208 |
else if (!empty($_POST['auth_user2'])) |
|
| 209 |
$user = $_POST['auth_user2']; |
|
| 210 |
else |
|
| 211 |
$user = 'unknown'; |
|
| 212 |
captiveportal_logportalauth($user ,$clientmac,$clientip,"ERROR"); |
|
| 213 |
portal_reply_page($redirurl, "error", $errormsg); |
|
| 198 | 214 |
} |
| 199 | 215 |
|
| 200 |
if ($auth_list['auth_val'] == 1) {
|
|
| 201 |
captiveportal_logportalauth($user,$clientmac,$clientip,"ERROR",$auth_list['error']); |
|
| 202 |
portal_reply_page($redirurl, $type, $auth_list['error'] ? $auth_list['error'] : $errormsg); |
|
| 203 |
} |
|
| 204 |
else if ($auth_list['auth_val'] == 3) {
|
|
| 205 |
captiveportal_logportalauth($user,$clientmac,$clientip,"FAILURE",$auth_list['reply_message']); |
|
| 206 |
portal_reply_page($redirurl, $type, $auth_list['reply_message'] ? $auth_list['reply_message'] : $errormsg); |
|
| 207 |
} |
|
| 208 |
} else {
|
|
| 209 |
if (!empty($_POST['auth_user'])) |
|
| 210 |
$user = $_POST['auth_user']; |
|
| 211 |
else if (!empty($_POST['auth_user2'])) |
|
| 212 |
$user = $_POST['auth_user2']; |
|
| 213 |
else |
|
| 214 |
$user = 'unknown'; |
|
| 215 |
captiveportal_logportalauth($user ,$clientmac,$clientip,"ERROR"); |
|
| 216 |
portal_reply_page($redirurl, "error", $errormsg); |
|
| 217 |
} |
|
| 218 |
|
|
| 219 | 216 |
} else if ($_POST['accept'] && $cpcfg['auth_method'] == "local") {
|
| 220 |
|
|
| 221 |
if ($_POST['auth_user'] && $_POST['auth_pass']) {
|
|
| 222 |
//check against local user manager |
|
| 223 |
$loginok = local_backed($_POST['auth_user'], $_POST['auth_pass']); |
|
| 224 |
if ($loginok){
|
|
| 225 |
captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN"); |
|
| 226 |
portal_allow($clientip, $clientmac,$_POST['auth_user']); |
|
| 227 |
} else {
|
|
| 228 |
captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE"); |
|
| 217 |
if ($_POST['auth_user'] && $_POST['auth_pass']) {
|
|
| 218 |
//check against local user manager |
|
| 219 |
$loginok = local_backed($_POST['auth_user'], $_POST['auth_pass']); |
|
| 220 |
if ($loginok){
|
|
| 221 |
captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN"); |
|
| 222 |
portal_allow($clientip, $clientmac,$_POST['auth_user']); |
|
| 223 |
} else {
|
|
| 224 |
captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE"); |
|
| 225 |
portal_reply_page($redirurl, "error", $errormsg); |
|
| 226 |
} |
|
| 227 |
} else |
|
| 229 | 228 |
portal_reply_page($redirurl, "error", $errormsg); |
| 230 |
} |
|
| 231 |
} else |
|
| 232 |
portal_reply_page($redirurl, "error", $errormsg); |
|
| 229 |
|
|
| 233 | 230 |
} else if ($_POST['accept'] && $clientip && $cpcfg['auth_method'] == "none") {
|
| 234 |
captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
|
|
| 235 |
portal_allow($clientip, $clientmac, "unauthenticated"); |
|
| 231 |
captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
|
|
| 232 |
portal_allow($clientip, $clientmac, "unauthenticated"); |
|
| 233 |
|
|
| 236 | 234 |
} else {
|
| 237 |
/* display captive portal page */
|
|
| 238 |
portal_reply_page($redirurl, "login",null,$clientmac,$clientip);
|
|
| 235 |
/* display captive portal page */
|
|
| 236 |
portal_reply_page($redirurl, "login",null,$clientmac,$clientip);
|
|
| 239 | 237 |
} |
| 240 | 238 |
|
| 241 | 239 |
ob_flush(); |
| 242 | 240 |
|
| 243 |
?> |
|
| 241 |
?> |
|
Also available in: Unified diff
Update usr/local/captiveportal/index.php