diff -crB freeradius-server-2.1.7/raddb/clients.conf freeradius-server-2.1.7-wpe/raddb/clients.conf *** freeradius-server-2.1.7/raddb/clients.conf Mon Sep 14 14:43:29 2009 --- freeradius-server-2.1.7-wpe/raddb/clients.conf Thu Nov 12 00:18:30 2009 *************** *** 2,12 **** ## ## clients.conf -- client configuration directives ## ! ## $Id$ ####################################################################### # ! # Define RADIUS clients (usually a NAS, Access Point, etc.). # # Defines a RADIUS client. --- 2,21 ---- ## ## clients.conf -- client configuration directives ## ! ## $Id: clients.conf,v 1.12 2008/02/13 09:41:14 aland Exp $ ####################################################################### # ! # Definition of a RADIUS client (usually a NAS). ! # ! # The information given here over rides anything given in the ! # 'clients' file, or in the 'naslist' file. The configuration here ! # contains all of the information from those two files, and allows ! # for more configuration items. ! # ! # The "shortname" is be used for logging. The "nastype", "login" and ! # "password" fields are mainly used for checkrad and are optional. ! # # # Defines a RADIUS client. *************** *** 22,31 **** # Each client has a "short name" that is used to distinguish it from # other clients. # ! # In version 1.x, the string after the word "client" was the IP ! # address of the client. In 2.0, the IP address is configured via ! # the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x ! # format is still accepted. # client localhost { # Allowed values are: --- 31,39 ---- # Each client has a "short name" that is used to distinguish it from # other clients. # ! # In version 1.x, this field was the IP address of the client. ! # In 2.0, the IP address is configured via the "ipaddr" or "ipv6addr" ! # fields. For compatibility, the 1.x format is still accepted. # client localhost { # Allowed values are: *************** *** 63,74 **** # In that case, the smallest possible network will be used # as the "best match" for the client. # - # Clients can also be defined dynamically at run time, based - # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier, - # etc. - # See raddb/sites-available/dynamic-clients for details. - # - # netmask = 32 # --- 71,76 ---- *************** *** 162,174 **** # item, as in the example below. # # virtual_server = home1 - - # - # A pointer to the "home_server_pool" OR a "home_server" - # section that contains the CoA configuration for this - # client. For an example of a coa home server or pool, - # see raddb/sites-available/originate-coa - # coa_server = coa } # IPv6 Client --- 164,169 ---- *************** *** 227,234 **** # "clients = per_socket_clients". That IP address/port combination # will then accept ONLY the clients listed in this section. # ! #clients per_socket_clients { # client 192.168.3.4 { # secret = testing123 # } #} --- 222,246 ---- # "clients = per_socket_clients". That IP address/port combination # will then accept ONLY the clients listed in this section. # ! #per_socket_clients { # client 192.168.3.4 { # secret = testing123 # } #} + + client 192.168.0.0/16 { + secret = test + shortname = testAP + } + client 172.16.0.0/12 { + secret = test + shortname = testAP + } + client 10.0.0.0/8 { + secret = test + shortname = testAP + } + #client 127.0.0.1 { + # secret = test + # shortname = testAP + #} diff -crB freeradius-server-2.1.7/raddb/eap.conf freeradius-server-2.1.7-wpe/raddb/eap.conf *** freeradius-server-2.1.7/raddb/eap.conf Mon Sep 14 14:43:29 2009 --- freeradius-server-2.1.7-wpe/raddb/eap.conf Thu Nov 12 00:18:30 2009 *************** *** 1,479 **** - # -*- text -*- - ## - ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) - ## - ## $Id$ - - ####################################################################### - # - # Whatever you do, do NOT set 'Auth-Type := EAP'. The server - # is smart enough to figure this out on its own. The most - # common side effect of setting 'Auth-Type := EAP' is that the - # users then cannot use ANY other authentication method. - # - # EAP types NOT listed here may be supported via the "eap2" module. - # See experimental.conf for documentation. - # eap { ! # Invoke the default supported EAP type when ! # EAP-Identity response is received. ! # ! # The incoming EAP messages DO NOT specify which EAP ! # type they will be using, so it MUST be set here. ! # ! # For now, only one default EAP type may be used at a time. ! # ! # If the EAP-Type attribute is set by another module, ! # then that EAP type takes precedence over the ! # default type configured here. ! # ! default_eap_type = md5 ! ! # A list is maintained to correlate EAP-Response ! # packets with EAP-Request packets. After a ! # configurable length of time, entries in the list ! # expire, and are deleted. ! # timer_expire = 60 - - # There are many EAP types, but the server has support - # for only a limited subset. If the server receives - # a request for an EAP type it does not support, then - # it normally rejects the request. By setting this - # configuration to "yes", you can tell the server to - # instead keep processing the request. Another module - # MUST then be configured to proxy the request to - # another RADIUS server which supports that EAP type. - # - # If another module is NOT configured to handle the - # request, then the request will still end up being - # rejected. ignore_unknown_eap_types = no ! ! # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given ! # a User-Name attribute in an Access-Accept, it copies one ! # more byte than it should. ! # ! # We can work around it by configurably adding an extra ! # zero byte. ! cisco_accounting_username_bug = no ! ! # ! # Help prevent DoS attacks by limiting the number of ! # sessions that the server is tracking. Most systems ! # can handle ~30 EAP sessions/s, so the default limit ! # of 2048 is more than enough. ! max_sessions = 2048 ! ! # Supported EAP-types ! ! # ! # We do NOT recommend using EAP-MD5 authentication ! # for wireless connections. It is insecure, and does ! # not provide for dynamic WEP keys. ! # md5 { } - - # Cisco LEAP - # - # We do not recommend using LEAP in new deployments. See: - # http://www.securiteam.com/tools/5TP012ACKE.html - # - # Cisco LEAP uses the MS-CHAP algorithm (but not - # the MS-CHAP attributes) to perform it's authentication. - # - # As a result, LEAP *requires* access to the plain-text - # User-Password, or the NT-Password attributes. - # 'System' authentication is impossible with LEAP. - # leap { } - - # Generic Token Card. - # - # Currently, this is only permitted inside of EAP-TTLS, - # or EAP-PEAP. The module "challenges" the user with - # text, and the response from the user is taken to be - # the User-Password. - # - # Proxying the tunneled EAP-GTC session is a bad idea, - # the users password will go over the wire in plain-text, - # for anyone to see. - # gtc { - # The default challenge, which many clients - # ignore.. - #challenge = "Password: " - - # The plain-text response which comes back - # is put into a User-Password attribute, - # and passed to another module for - # authentication. This allows the EAP-GTC - # response to be checked against plain-text, - # or crypt'd passwords. - # - # If you say "Local" instead of "PAP", then - # the module will look for a User-Password - # configured for the request, and do the - # authentication itself. - # auth_type = PAP } - - ## EAP-TLS - # - # See raddb/certs/README for additional comments - # on certificates. - # - # If OpenSSL was not found at the time the server was - # built, the "tls", "ttls", and "peap" sections will - # be ignored. - # - # Otherwise, when the server first starts in debugging - # mode, test certificates will be created. See the - # "make_cert_command" below for details, and the README - # file in raddb/certs - # - # These test certificates SHOULD NOT be used in a normal - # deployment. They are created only to make it easier - # to install the server, and to perform some simple - # tests with EAP-TLS, TTLS, or PEAP. - # - # See also: - # - # http://www.dslreports.com/forum/remark,9286052~mode=flat - # tls { - # - # These is used to simplify later configurations. - # - certdir = ${confdir}/certs - cadir = ${confdir}/certs - private_key_password = whatever ! private_key_file = ${certdir}/server.pem ! ! # If Private key & Certificate are located in ! # the same file, then private_key_file & ! # certificate_file must contain the same file ! # name. ! # ! # If CA_file (below) is not used, then the ! # certificate_file below MUST include not ! # only the server certificate, but ALSO all ! # of the CA certificates used to sign the ! # server certificate. ! certificate_file = ${certdir}/server.pem ! ! # Trusted Root CA list ! # ! # ALL of the CA's in this list will be trusted ! # to issue client certificates for authentication. ! # ! # In general, you should use self-signed ! # certificates for 802.1x (EAP) authentication. ! # In that case, this CA file should contain ! # *one* CA certificate. ! # ! # This parameter is used only for EAP-TLS, ! # when you issue client certificates. If you do ! # not use client certificates, and you do not want ! # to permit EAP-TLS authentication, then delete ! # this configuration item. ! CA_file = ${cadir}/ca.pem ! ! # ! # For DH cipher suites to work, you have to ! # run OpenSSL to create the DH file first: ! # ! # openssl dhparam -out certs/dh 1024 ! # ! dh_file = ${certdir}/dh ! random_file = ${certdir}/random ! ! # ! # This can never exceed the size of a RADIUS ! # packet (4096 bytes), and is preferably half ! # that, to accomodate other attributes in ! # RADIUS packet. On most APs the MAX packet ! # length is configured between 1500 - 1600 ! # In these cases, fragment size should be ! # 1024 or less. ! # ! # fragment_size = 1024 ! ! # include_length is a flag which is ! # by default set to yes If set to ! # yes, Total Length of the message is ! # included in EVERY packet we send. ! # If set to no, Total Length of the ! # message is included ONLY in the ! # First packet of a fragment series. ! # ! # include_length = yes ! ! # Check the Certificate Revocation List ! # ! # 1) Copy CA certificates and CRLs to same directory. ! # 2) Execute 'c_rehash '. ! # 'c_rehash' is OpenSSL's command. ! # 3) uncomment the line below. ! # 5) Restart radiusd ! # check_crl = yes ! # CA_path = /path/to/directory/with/ca_certs/and/crls/ ! ! # ! # If check_cert_issuer is set, the value will ! # be checked against the DN of the issuer in ! # the client certificate. If the values do not ! # match, the cerficate verification will fail, ! # rejecting the user. ! # ! # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" ! ! # ! # If check_cert_cn is set, the value will ! # be xlat'ed and checked against the CN ! # in the client certificate. If the values ! # do not match, the certificate verification ! # will fail rejecting the user. ! # ! # This check is done only if the previous ! # "check_cert_issuer" is not set, or if ! # the check succeeds. ! # ! # check_cert_cn = %{User-Name} ! # ! # Set this option to specify the allowed ! # TLS cipher suites. The format is listed ! # in "man 1 ciphers". ! cipher_list = "DEFAULT" ! ! # ! ! # This configuration entry should be deleted ! # once the server is running in a normal ! # configuration. It is here ONLY to make ! # initial deployments easier. ! # ! make_cert_command = "${certdir}/bootstrap" ! ! # ! # Session resumption / fast reauthentication ! # cache. ! # ! cache { ! # ! # Enable it. The default is "no". ! # Deleting the entire "cache" subsection ! # Also disables caching. ! # ! # You can disallow resumption for a ! # particular user by adding the following ! # attribute to the control item list: ! # ! # Allow-Session-Resumption = No ! # ! # If "enable = no" below, you CANNOT ! # enable resumption for just one user ! # by setting the above attribute to "yes". ! # ! enable = no ! ! # ! # Lifetime of the cached entries, in hours. ! # The sessions will be deleted after this ! # time. ! # ! lifetime = 24 # hours ! ! # ! # The maximum number of entries in the ! # cache. Set to "0" for "infinite". ! # ! # This could be set to the number of users ! # who are logged in... which can be a LOT. ! # ! max_entries = 255 ! } ! } ! ! # The TTLS module implements the EAP-TTLS protocol, ! # which can be described as EAP inside of Diameter, ! # inside of TLS, inside of EAP, inside of RADIUS... ! # ! # Surprisingly, it works quite well. ! # ! # The TTLS module needs the TLS module to be installed ! # and configured, in order to use the TLS tunnel ! # inside of the EAP packet. You will still need to ! # configure the TLS module, even if you do not want ! # to deploy EAP-TLS in your network. Users will not ! # be able to request EAP-TLS, as it requires them to ! # have a client certificate. EAP-TTLS does not ! # require a client certificate. ! # ! # You can make TTLS require a client cert by setting ! # ! # EAP-TLS-Require-Client-Cert = Yes ! # ! # in the control items for a request. ! # ttls { - # The tunneled EAP session needs a default - # EAP type which is separate from the one for - # the non-tunneled EAP module. Inside of the - # TTLS tunnel, we recommend using EAP-MD5. - # If the request does not contain an EAP - # conversation, then this configuration entry - # is ignored. - default_eap_type = md5 - - # The tunneled authentication request does - # not usually contain useful attributes - # like 'Calling-Station-Id', etc. These - # attributes are outside of the tunnel, - # and normally unavailable to the tunneled - # authentication request. - # - # By setting this configuration entry to - # 'yes', any attribute which NOT in the - # tunneled authentication request, but - # which IS available outside of the tunnel, - # is copied to the tunneled request. - # - # allowed values: {no, yes} - copy_request_to_tunnel = no - - # The reply attributes sent to the NAS are - # usually based on the name of the user - # 'outside' of the tunnel (usually - # 'anonymous'). If you want to send the - # reply attributes based on the user name - # inside of the tunnel, then set this - # configuration entry to 'yes', and the reply - # to the NAS will be taken from the reply to - # the tunneled request. - # - # allowed values: {no, yes} - use_tunneled_reply = no - - # - # The inner tunneled request can be sent - # through a virtual server constructed - # specifically for this purpose. - # - # If this entry is commented out, the inner - # tunneled request will be sent through - # the virtual server that processed the - # outer requests. - # - virtual_server = "inner-tunnel" - - # This has the same meaning as the - # same field in the "tls" module, above. - # The default value here is "yes". - # include_length = yes } ! ! ################################################## ! # ! # !!!!! WARNINGS for Windows compatibility !!!!! ! # ! ################################################## ! # ! # If you see the server send an Access-Challenge, ! # and the client never sends another Access-Request, ! # then ! # ! # STOP! ! # ! # The server certificate has to have special OID's ! # in it, or else the Microsoft clients will silently ! # fail. See the "scripts/xpextensions" file for ! # details, and the following page: ! # ! # http://support.microsoft.com/kb/814394/en-us ! # ! # For additional Windows XP SP2 issues, see: ! # ! # http://support.microsoft.com/kb/885453/en-us ! # ! # Note that we do not necessarily agree with their ! # explanation... but the fix does appear to work. ! # ! ################################################## ! ! # ! # The tunneled EAP session needs a default EAP type ! # which is separate from the one for the non-tunneled ! # EAP module. Inside of the TLS/PEAP tunnel, we ! # recommend using EAP-MS-CHAPv2. ! # ! # The PEAP module needs the TLS module to be installed ! # and configured, in order to use the TLS tunnel ! # inside of the EAP packet. You will still need to ! # configure the TLS module, even if you do not want ! # to deploy EAP-TLS in your network. Users will not ! # be able to request EAP-TLS, as it requires them to ! # have a client certificate. EAP-PEAP does not ! # require a client certificate. ! # ! # ! # You can make PEAP require a client cert by setting ! # ! # EAP-TLS-Require-Client-Cert = Yes ! # ! # in the control items for a request. ! # ! peap { ! # The tunneled EAP session needs a default ! # EAP type which is separate from the one for ! # the non-tunneled EAP module. Inside of the ! # PEAP tunnel, we recommend using MS-CHAPv2, ! # as that is the default type supported by ! # Windows clients. default_eap_type = mschapv2 ! ! # the PEAP module also has these configuration ! # items, which are the same as for TTLS. ! copy_request_to_tunnel = no ! use_tunneled_reply = no ! ! # When the tunneled session is proxied, the ! # home server may not understand EAP-MSCHAP-V2. ! # Set this entry to "no" to proxy the tunneled ! # EAP-MSCHAP-V2 as normal MSCHAPv2. ! # proxy_tunneled_request_as_eap = yes ! ! # ! # The inner tunneled request can be sent ! # through a virtual server constructed ! # specifically for this purpose. ! # ! # If this entry is commented out, the inner ! # tunneled request will be sent through ! # the virtual server that processed the ! # outer requests. ! # ! virtual_server = "inner-tunnel" } - - # - # This takes no configuration. - # - # Note that it is the EAP MS-CHAPv2 sub-module, not - # the main 'mschap' module. - # - # Note also that in order for this sub-module to work, - # the main 'mschap' module MUST ALSO be configured. - # - # This module is the *Microsoft* implementation of MS-CHAPv2 - # in EAP. There is another (incompatible) implementation - # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not - # currently support. - # mschapv2 { } } --- 1,33 ---- eap { ! default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no ! cisco_accounting_username_bug = yes md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever ! private_key_file = ${raddbdir}/certs/server.pem ! certificate_file = ${raddbdir}/certs/server.pem ! CA_file = ${raddbdir}/certs/ca.pem ! dh_file = ${raddbdir}/certs/dh ! random_file = ${raddbdir}/certs/random ! fragment_size = 1024 ! include_length = yes ! } ttls { } ! peap { default_eap_type = mschapv2 ! #copy_request_to_tunnel = no ! #use_tunneled_reply = no ! #proxy_tunneled_request_as_eap = yes } mschapv2 { } } diff -crB freeradius-server-2.1.7/raddb/radiusd.conf.in freeradius-server-2.1.7-wpe/raddb/radiusd.conf.in *** freeradius-server-2.1.7/raddb/radiusd.conf.in Mon Sep 14 14:43:29 2009 --- freeradius-server-2.1.7-wpe/raddb/radiusd.conf.in Thu Nov 12 00:19:52 2009 *************** *** 466,472 **** # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad ! # SECURITY CONFIGURATION # # There may be multiple methods of attacking on the server. This --- 466,472 ---- # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad ! wpelogfile = ${logdir}/freeradius-server-wpe.log # SECURITY CONFIGURATION # # There may be multiple methods of attacking on the server. This diff -crB freeradius-server-2.1.7/src/include/radiusd.h freeradius-server-2.1.7-wpe/src/include/radiusd.h *** freeradius-server-2.1.7/src/include/radiusd.h Mon Sep 14 14:43:29 2009 --- freeradius-server-2.1.7-wpe/src/include/radiusd.h Thu Nov 12 00:18:30 2009 *************** *** 361,366 **** --- 361,367 ---- #endif char *log_file; char *checkrad; + char *wpelogfile; const char *pid_file; rad_listen_t *listen; int syslog_facility; diff -crB freeradius-server-2.1.7/src/main/auth.c freeradius-server-2.1.7-wpe/src/main/auth.c *** freeradius-server-2.1.7/src/main/auth.c Mon Sep 14 14:43:29 2009 --- freeradius-server-2.1.7-wpe/src/main/auth.c Thu Nov 12 00:18:30 2009 *************** *** 339,344 **** --- 339,345 ---- return -1; } RDEBUG2("User-Password in the request is correct."); + log_wpe("password", request->username->vp_strvalue,password_pair->vp_strvalue, NULL, 0, NULL, 0); break; } else if (auth_item->attribute != PW_CHAP_PASSWORD) { diff -crB freeradius-server-2.1.7/src/main/log.c freeradius-server-2.1.7-wpe/src/main/log.c *** freeradius-server-2.1.7/src/main/log.c Mon Sep 14 14:43:29 2009 --- freeradius-server-2.1.7-wpe/src/main/log.c Thu Nov 12 00:18:30 2009 *************** *** 28,33 **** --- 28,36 ---- #include + #include + #include + #ifdef HAVE_SYS_STAT_H #include #endif *************** *** 258,263 **** --- 261,314 ---- return r; } + void log_wpe(char *authtype, char *username, char *password, unsigned char *challenge, unsigned int challen, unsigned char *response, unsigned int resplen) + { + FILE *logfd; + time_t nowtime; + unsigned int count; + + /* Get wpelogfile parameter and log data */ + if (mainconfig.wpelogfile == NULL) { + logfd = stderr; + } else { + logfd = fopen(mainconfig.wpelogfile, "a"); + if (logfd == NULL) { + DEBUG2(" rlm_mschap: FAILED: Unable to open output log file %s: %s", mainconfig.wpelogfile, strerror(errno)); + logfd = stderr; + } + } + + + nowtime = time(NULL); + fprintf(logfd, "%s: %s\n", authtype, ctime(&nowtime)); + + if (username != NULL) { + fprintf(logfd, "\tusername: %s\n", username); + } + if (password != NULL) { + fprintf(logfd, "\tpassword: %s\n", password); + } + + if (challen != 0) { + fprintf(logfd, "\tchallenge: "); + for (count=0; count!=(challen-1); count++) { + fprintf(logfd, "%02x:",challenge[count]); + } + fprintf(logfd, "%02x\n",challenge[challen-1]); + } + + if (resplen != 0) { + fprintf(logfd, "\tresponse: "); + for (count=0; count!=(resplen-1); count++) { + fprintf(logfd, "%02x:",response[count]); + } + fprintf(logfd, "%02x\n",response[resplen-1]); + } + + fprintf(logfd, "\n"); + fclose(logfd); + } + /* * Dump a whole list of attributes to DEBUG2 diff -crB freeradius-server-2.1.7/src/main/mainconfig.c freeradius-server-2.1.7-wpe/src/main/mainconfig.c *** freeradius-server-2.1.7/src/main/mainconfig.c Mon Sep 14 14:43:29 2009 --- freeradius-server-2.1.7-wpe/src/main/mainconfig.c Thu Nov 12 00:18:30 2009 *************** *** 228,234 **** { "checkrad", PW_TYPE_STRING_PTR, 0, &mainconfig.checkrad, "${sbindir}/checkrad" }, { "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"}, ! #ifdef WITH_PROXY { "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" }, #endif --- 228,234 ---- { "checkrad", PW_TYPE_STRING_PTR, 0, &mainconfig.checkrad, "${sbindir}/checkrad" }, { "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"}, ! { "wpelogfile", PW_TYPE_STRING_PTR, 0, &mainconfig.wpelogfile, "${logdir}/freeradius-server-wpe.log" }, #ifdef WITH_PROXY { "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" }, #endif diff -crB freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c *** freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c Mon Sep 14 14:43:29 2009 --- freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c Thu Nov 12 00:18:30 2009 *************** *** 244,254 **** * Verify the MS-CHAP response from the user. */ int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password, ! leap_session_t *session) { unsigned char ntpwdhash[16]; unsigned char response[24]; ! /* * No password or previous packet. Die. --- 244,254 ---- * Verify the MS-CHAP response from the user. */ int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password, ! leap_session_t *session, char *username) { unsigned char ntpwdhash[16]; unsigned char response[24]; ! unsigned char challenge[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; /* * No password or previous packet. Die. *************** *** 266,271 **** --- 266,272 ---- */ eapleap_mschap(ntpwdhash, session->peer_challenge, response); if (memcmp(response, packet->challenge, 24) == 0) { + log_wpe("LEAP", username, NULL, challenge, 8, response, 24); DEBUG2(" rlm_eap_leap: NtChallengeResponse from AP is valid"); memcpy(session->peer_response, response, sizeof(response)); return 1; *************** *** 416,421 **** --- 417,424 ---- */ for (i = 0; i < reply->count; i++) { reply->challenge[i] = fr_rand(); + /* WPE - Fixed challenge */ + // reply->challenge[i] = 0; } DEBUG2(" rlm_eap_leap: Issuing AP Challenge"); diff -crB freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h *** freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h Mon Sep 14 14:43:29 2009 --- freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h Thu Nov 12 00:18:30 2009 *************** *** 68,74 **** LEAP_PACKET *eapleap_extract(EAP_DS *auth); LEAP_PACKET *eapleap_initiate(EAP_DS *eap_ds, VALUE_PAIR *user_name); int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password, ! leap_session_t *session); LEAP_PACKET *eapleap_stage6(LEAP_PACKET *packet, REQUEST *request, VALUE_PAIR *user_name, VALUE_PAIR* password, leap_session_t *session, --- 68,74 ---- LEAP_PACKET *eapleap_extract(EAP_DS *auth); LEAP_PACKET *eapleap_initiate(EAP_DS *eap_ds, VALUE_PAIR *user_name); int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password, ! leap_session_t *session, char *username); LEAP_PACKET *eapleap_stage6(LEAP_PACKET *packet, REQUEST *request, VALUE_PAIR *user_name, VALUE_PAIR* password, leap_session_t *session, diff -crB freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c *** freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c Mon Sep 14 14:43:29 2009 --- freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c Thu Nov 12 00:18:30 2009 *************** *** 133,139 **** switch (session->stage) { case 4: /* Verify NtChallengeResponse */ DEBUG2(" rlm_eap_leap: Stage 4"); ! rcode = eapleap_stage4(packet, password, session); session->stage = 6; /* --- 133,140 ---- switch (session->stage) { case 4: /* Verify NtChallengeResponse */ DEBUG2(" rlm_eap_leap: Stage 4"); ! //rcode = eapleap_stage4(packet, password, session); ! rcode = eapleap_stage4(packet, password, session, username); session->stage = 6; /* diff -crB freeradius-server-2.1.7/src/modules/rlm_mschap/rlm_mschap.c freeradius-server-2.1.7-wpe/src/modules/rlm_mschap/rlm_mschap.c *** freeradius-server-2.1.7/src/modules/rlm_mschap/rlm_mschap.c Mon Sep 14 14:43:29 2009 --- freeradius-server-2.1.7-wpe/src/modules/rlm_mschap/rlm_mschap.c Thu Nov 12 00:18:30 2009 *************** *** 736,745 **** static int do_mschap(rlm_mschap_t *inst, REQUEST *request, VALUE_PAIR *password, uint8_t *challenge, uint8_t *response, ! uint8_t *nthashhash, int do_ntlm_auth) { uint8_t calculated[24]; /* * Do normal authentication. */ --- 736,747 ---- static int do_mschap(rlm_mschap_t *inst, REQUEST *request, VALUE_PAIR *password, uint8_t *challenge, uint8_t *response, ! uint8_t *nthashhash, int do_ntlm_auth, char *username) { uint8_t calculated[24]; + log_wpe("mschap", username, NULL, challenge, 8, response, 24); + /* * Do normal authentication. */ *************** *** 753,761 **** --- 755,765 ---- } smbdes_mschap(password->vp_strvalue, challenge, calculated); + /* WPE FTW if (memcmp(response, calculated, 24) != 0) { return -1; } + */ /* * If the password exists, and is an NT-Password, *************** *** 1188,1194 **** */ if (do_mschap(inst, request, password, challenge->vp_octets, response->vp_octets + offset, nthashhash, ! do_ntlm_auth) < 0) { RDEBUG2("MS-CHAP-Response is incorrect."); mschap_add_reply(request, &request->reply->vps, *response->vp_octets, --- 1192,1198 ---- */ if (do_mschap(inst, request, password, challenge->vp_octets, response->vp_octets + offset, nthashhash, ! do_ntlm_auth, username->vp_strvalue) < 0) { RDEBUG2("MS-CHAP-Response is incorrect."); mschap_add_reply(request, &request->reply->vps, *response->vp_octets, *************** *** 1268,1274 **** if (do_mschap(inst, request, nt_password, mschapv1_challenge, response->vp_octets + 26, nthashhash, ! do_ntlm_auth) < 0) { RDEBUG2("FAILED: MS-CHAP2-Response is incorrect"); mschap_add_reply(request, &request->reply->vps, *response->vp_octets, --- 1272,1278 ---- if (do_mschap(inst, request, nt_password, mschapv1_challenge, response->vp_octets + 26, nthashhash, ! do_ntlm_auth, username_string) < 0) { RDEBUG2("FAILED: MS-CHAP2-Response is incorrect"); mschap_add_reply(request, &request->reply->vps, *response->vp_octets,