Project

General

Profile

Download (9.23 KB) Statistics
| Branch: | Tag: | Revision:
1 8c1ce6c7 Scott Ullrich
<?php
2 5b237745 Scott Ullrich
/*
3 3b832418 bcyrill
	$Id$
4
	part of m0n0wall (http://m0n0.ch/wall)
5
6
	Copyrigth (C) 2009	    Ermal Lu?i
7
	Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
8
	All rights reserved.
9
10
	Redistribution and use in source and binary forms, with or without
11
	modification, are permitted provided that the following conditions are met:
12
13
	1. Redistributions of source code must retain the above copyright notice,
14
	   this list of conditions and the following disclaimer.
15
16
	2. Redistributions in binary form must reproduce the above copyright
17
	   notice, this list of conditions and the following disclaimer in the
18
	   documentation and/or other materials provided with the distribution.
19
20
	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21
	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22
	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23
	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24
	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25
	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26
	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27
	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28
	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29
	POSSIBILITY OF SUCH DAMAGE.
30 5b237745 Scott Ullrich
*/
31 f5024891 Scott Ullrich
/*
32
	pfSense_MODULE:	captiveportal
33
*/
34 5b237745 Scott Ullrich
35 0092b3bd mgrooms
require_once("auth.inc");
36 65fbb388 Scott Ullrich
require_once("functions.inc");
37 483e6de8 Scott Ullrich
require_once("captiveportal.inc");
38 65fbb388 Scott Ullrich
39 eb15decb Ermal
$errormsg = "Invalid credentials specified.";
40
41 65fbb388 Scott Ullrich
header("Expires: 0");
42
header("Cache-Control: no-store, no-cache, must-revalidate");
43
header("Cache-Control: post-check=0, pre-check=0", false);
44
header("Pragma: no-cache");
45 232846a2 Ermal
header("Connection: close");
46 5b237745 Scott Ullrich
47 baec2b00 Ermal
global $cpzone, $cpzoneid;
48 5370146c Ermal
49 4734474e Ermal
$cpzone = $_REQUEST['zone'];
50 b4792bf8 Ermal
$cpcfg = $config['captiveportal'][$cpzone];
51 09294e84 Ermal
if (empty($cpcfg)) {
52
	log_error("Submission to captiveportal with unkown parameter zone: " . htmlspecialchars($cpzone));
53
	portal_reply_page($redirurl, "error", $errormsg);
54
	ob_flush();
55
	return;
56
}
57 b4792bf8 Ermal
58 baec2b00 Ermal
$cpzoneid = $cpcfg['zoneid'];
59
60 362ec35d Ermal
$orig_host = $_SERVER['HTTP_HOST'];
61 6e895d5f Ermal
/* NOTE: IE 8/9 is buggy and that is why this is needed */
62 f89afb47 Ermal
$orig_request = trim($_REQUEST['redirurl'], " /");
63 6fa4bdc6 Scott Ullrich
$clientip = $_SERVER['REMOTE_ADDR'];
64 5b237745 Scott Ullrich
65
if (!$clientip) {
66 c9cb32c4 Ermal
	/* not good - bail out */
67 12feed15 Ermal
	log_error("Zone: {$cpzone} - Captive portal could not determine client's IP address.");
68 c9cb32c4 Ermal
	$error_message = "An error occurred.  Please check the system logs for more information.";
69
	portal_reply_page($redirurl, "error", $errormsg);
70 4a5feb83 Ermal
	ob_flush();
71
	return;
72 65fbb388 Scott Ullrich
}
73
74 de132ae3 bcyrill
$ourhostname = portal_hostname_from_client_ip($clientip);
75 65fbb388 Scott Ullrich
if ($orig_host != $ourhostname) {
76 3b832418 bcyrill
	/* the client thinks it's connected to the desired web server, but instead
77
	   it's connected to us. Issue a redirect... */
78 de132ae3 bcyrill
	$protocol = (isset($cpcfg['httpslogin'])) ? 'https://' : 'http://';
79
	header("Location: {$protocol}{$ourhostname}/index.php?zone={$cpzone}&redirurl=" . urlencode("http://{$orig_host}/{$orig_request}"));
80 65fbb388 Scott Ullrich
81 3b832418 bcyrill
	ob_flush();
82
	return;
83 5b237745 Scott Ullrich
}
84 de132ae3 bcyrill
85 b7ae00c0 bcyrill
if (!empty($cpcfg['redirurl']))
86
	$redirurl = $cpcfg['redirurl'];
87 adbb495c Ermal
else if (preg_match("/redirurl=(.*)/", $orig_request, $matches))
88
	$redirurl = urldecode($matches[1]);
89
else if ($_REQUEST['redirurl'])
90
	$redirurl = $_REQUEST['redirurl'];
91 65fbb388 Scott Ullrich
92 b7ae00c0 bcyrill
$macfilter = !isset($cpcfg['nomacfilter']);
93
$passthrumac = isset($cpcfg['passthrumacadd']);
94 65fbb388 Scott Ullrich
95 5b237745 Scott Ullrich
/* find MAC address for client */
96 007161dc Ermal
if ($macfilter || $passthrumac) {
97 0d20a040 Ermal
	$tmpres = pfSense_ip_to_mac($clientip);
98
	if (!is_array($tmpres)) {
99 3b832418 bcyrill
		/* unable to find MAC address - shouldn't happen! - bail out */
100
		captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR");
101
		echo "An error occurred.  Please check the system logs for more information.";
102 12feed15 Ermal
		log_error("Zone: {$cpzone} - Captive portal could not determine client's MAC address.  Disable MAC address filtering in captive portal if you do not need this functionality.");
103 3b832418 bcyrill
		ob_flush();
104
		return;
105 007161dc Ermal
	}
106 0d20a040 Ermal
	$clientmac = $tmpres['macaddr'];
107
	unset($tmpres);
108 5b237745 Scott Ullrich
}
109
110 65fbb388 Scott Ullrich
/* find out if we need RADIUS + RADIUSMAC or not */
111 b4792bf8 Ermal
if (file_exists("{$g['vardb_path']}/captiveportal_radius_{$cpzone}.db")) {
112 3b832418 bcyrill
	$radius_enable = TRUE;
113
	if (isset($cpcfg['radmac_enable']))
114
		$radmac_enable = TRUE;
115 65fbb388 Scott Ullrich
}
116 6e865a74 Scott Ullrich
117 ebc0e4b6 Ermal
/* find radius context */
118
$radiusctx = 'first';
119
if ($_POST['auth_user2'])
120
	$radiusctx = 'second';
121
122 65fbb388 Scott Ullrich
if ($_POST['logout_id']) {
123 532cb894 Ermal
	echo <<<EOD
124 5b237745 Scott Ullrich
<HTML>
125
<HEAD><TITLE>Disconnecting...</TITLE></HEAD>
126
<BODY BGCOLOR="#435370">
127
<SPAN STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">
128 b2ce71ff Scott Ullrich
<B>You have been disconnected.</B>
129 5b237745 Scott Ullrich
</SPAN>
130
<SCRIPT LANGUAGE="JavaScript">
131
<!--
132
setTimeout('window.close();',5000) ;
133
-->
134
</SCRIPT>
135
</BODY>
136
</HTML>
137
138
EOD;
139 006802ab Ermal
	captiveportal_disconnect_client($_POST['logout_id']);
140 3b832418 bcyrill
141 81ce28d8 Renato Botelho
} else if ($macfilter && $clientmac && captiveportal_blocked_mac($clientmac)) {
142 8d5ddc09 Renato Botelho
	captiveportal_logportalauth($clientmac,$clientmac,$clientip,"Blocked MAC address");
143
	if (!empty($cpcfg['blockedmacsurl']))
144
		portal_reply_page($cpcfg['blockedmacsurl'], "redir");
145
	else
146
		portal_reply_page($redirurl, "error", "This MAC address has been blocked");
147
148 ebc0e4b6 Ermal
} else if ($clientmac && $radmac_enable && portal_mac_radius($clientmac,$clientip, $radiusctx)) {
149 3b832418 bcyrill
	/* radius functions handle everything so we exit here since we're done */
150 65fbb388 Scott Ullrich
151 8015e67b Erik Fonnesbeck
} else if (portal_consume_passthrough_credit($clientmac)) {
152 3b832418 bcyrill
	/* allow the client through if it had a pass-through credit for its MAC */
153
	captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
154
	portal_allow($clientip, $clientmac, "unauthenticated");
155 8015e67b Erik Fonnesbeck
156 89341b50 Chris Buechler
} else if (isset($config['voucher'][$cpzone]['enable']) && $_POST['accept'] && $_POST['auth_voucher']) {
157 3b832418 bcyrill
	$voucher = trim($_POST['auth_voucher']);
158
	$timecredit = voucher_auth($voucher);
159
	// $timecredit contains either a credit in minutes or an error message
160
	if ($timecredit > 0) {  // voucher is valid. Remaining minutes returned
161
		// if multiple vouchers given, use the first as username
162
		$a_vouchers = preg_split("/[\t\n\r ]+/s",$voucher);
163
		$voucher = $a_vouchers[0];
164
		$attr = array( 'voucher' => 1,
165
				'session_timeout' => $timecredit*60,
166
				'session_terminate_time' => 0);
167
		if (portal_allow($clientip, $clientmac,$voucher,null,$attr)) {
168
			// YES: user is good for $timecredit minutes.
169
			captiveportal_logportalauth($voucher,$clientmac,$clientip,"Voucher login good for $timecredit min.");
170
		} else {
171
			portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg);
172
		}
173
	} else if (-1 == $timecredit) {  // valid but expired
174
		captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE","voucher expired");
175
		portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgexpired'] ? $config['voucher'][$cpzone]['msgexpired']: $errormsg);
176
	} else {
177
		captiveportal_logportalauth($voucher,$clientmac,$clientip,"FAILURE");
178
		portal_reply_page($redirurl, "error", $config['voucher'][$cpzone]['msgnoaccess'] ? $config['voucher'][$cpzone]['msgnoaccess'] : $errormsg);
179
	}
180 336e3c1c Charlie
181 65fbb388 Scott Ullrich
} else if ($_POST['accept'] && $radius_enable) {
182 16a0308d Michael Newton
	if (($_POST['auth_user'] && isset($_POST['auth_pass'])) || ($_POST['auth_user2'] && isset($_POST['auth_pass2']))) {
183 3b832418 bcyrill
		if (!empty($_POST['auth_user'])) {
184
			$user = $_POST['auth_user'];
185
			$paswd = $_POST['auth_pass'];
186
		} else if (!empty($_POST['auth_user2'])) {
187
			$user = $_POST['auth_user2'];
188
			$paswd = $_POST['auth_pass2'];
189
		}
190
		$auth_list = radius($user,$paswd,$clientip,$clientmac,"USER LOGIN", $radiusctx);
191
		$type = "error";
192
		if (!empty($auth_list['url_redirection'])) {
193
			$redirurl = $auth_list['url_redirection'];
194
			$type = "redir";
195
		}
196
197
		if ($auth_list['auth_val'] == 1) {
198
			captiveportal_logportalauth($user,$clientmac,$clientip,"ERROR",$auth_list['error']);
199
			portal_reply_page($redirurl, $type, $auth_list['error'] ? $auth_list['error'] : $errormsg);
200
		} else if ($auth_list['auth_val'] == 3) {
201
			captiveportal_logportalauth($user,$clientmac,$clientip,"FAILURE",$auth_list['reply_message']);
202
			portal_reply_page($redirurl, $type, $auth_list['reply_message'] ? $auth_list['reply_message'] : $errormsg);
203
		}
204
	} else {
205
		if (!empty($_POST['auth_user']))
206
			$user = $_POST['auth_user'];
207
		else if (!empty($_POST['auth_user2']))
208
			$user = $_POST['auth_user2'];
209
		else 
210
			$user = 'unknown';
211
		captiveportal_logportalauth($user ,$clientmac,$clientip,"ERROR");
212
		portal_reply_page($redirurl, "error", $errormsg);
213 814992f7 Ermal
	}
214 65fbb388 Scott Ullrich
215 b7ae00c0 bcyrill
} else if ($_POST['accept'] && $cpcfg['auth_method'] == "local") {
216 3b832418 bcyrill
	if ($_POST['auth_user'] && $_POST['auth_pass']) {
217
		//check against local user manager
218
		$loginok = local_backed($_POST['auth_user'], $_POST['auth_pass']);
219 a8cb0038 Renato Botelho
220
		if ($loginok && isset($cpcfg['localauth_priv']))
221
			$loginok = userHasPrivilege(getUserEntry($_POST['auth_user']), "user-services-captiveportal-login");
222
223 3b832418 bcyrill
		if ($loginok){
224
			captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");
225
			portal_allow($clientip, $clientmac,$_POST['auth_user']);
226
		} else {
227
			captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");
228
			portal_reply_page($redirurl, "error", $errormsg);
229
		}
230
	} else
231 90477318 Ermal
		portal_reply_page($redirurl, "error", $errormsg);
232 3b832418 bcyrill
233 b7ae00c0 bcyrill
} else if ($_POST['accept'] && $clientip && $cpcfg['auth_method'] == "none") {
234 3b832418 bcyrill
	captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");
235
	portal_allow($clientip, $clientmac, "unauthenticated");
236
237 65fbb388 Scott Ullrich
} else {
238 3b832418 bcyrill
	/* display captive portal page */
239
	portal_reply_page($redirurl, "login",null,$clientmac,$clientip);
240 5b237745 Scott Ullrich
}
241
242 4a5feb83 Ermal
ob_flush();
243 03552507 Erik Fonnesbeck
244 60b66b60 Ermal
?>