Send NAS-Port, NAS-IP and Calling/Called-Station-ID in Access-Request
[strongswan.git] / src / libcharon / plugins / eap_radius / eap_radius.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_radius.h"
17 #include "eap_radius_plugin.h"
18 #include "eap_radius_forward.h"
19 #include "eap_radius_provider.h"
20
21 #include <radius_message.h>
22 #include <radius_client.h>
23
24 #include <daemon.h>
25
26 typedef struct private_eap_radius_t private_eap_radius_t;
27
28 /**
29 * Private data of an eap_radius_t object.
30 */
31 struct private_eap_radius_t {
32
33 /**
34 * Public authenticator_t interface.
35 */
36 eap_radius_t public;
37
38 /**
39 * ID of the server
40 */
41 identification_t *server;
42
43 /**
44 * ID of the peer
45 */
46 identification_t *peer;
47
48 /**
49 * EAP method type we are proxying
50 */
51 eap_type_t type;
52
53 /**
54 * EAP vendor, if any
55 */
56 u_int32_t vendor;
57
58 /**
59 * EAP message identifier
60 */
61 u_int8_t identifier;
62
63 /**
64 * RADIUS client instance
65 */
66 radius_client_t *client;
67
68 /**
69 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
70 */
71 bool eap_start;
72
73 /**
74 * Prefix to prepend to EAP identity
75 */
76 char *id_prefix;
77
78 /**
79 * Handle the Class attribute as group membership information?
80 */
81 bool class_group;
82
83 /**
84 * Handle the Filter-Id attribute as IPsec CHILD_SA name?
85 */
86 bool filter_id;
87 };
88
89 /**
90 * Add EAP-Identity to RADIUS message
91 */
92 static void add_eap_identity(private_eap_radius_t *this,
93 radius_message_t *request)
94 {
95 struct {
96 /** EAP code (REQUEST/RESPONSE) */
97 u_int8_t code;
98 /** unique message identifier */
99 u_int8_t identifier;
100 /** length of whole message */
101 u_int16_t length;
102 /** EAP type */
103 u_int8_t type;
104 /** identity data */
105 u_int8_t data[];
106 } __attribute__((__packed__)) *hdr;
107 chunk_t id, prefix;
108 size_t len;
109
110 id = this->peer->get_encoding(this->peer);
111 prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
112 len = sizeof(*hdr) + prefix.len + id.len;
113
114 hdr = alloca(len);
115 hdr->code = EAP_RESPONSE;
116 hdr->identifier = this->identifier;
117 hdr->length = htons(len);
118 hdr->type = EAP_IDENTITY;
119 memcpy(hdr->data, prefix.ptr, prefix.len);
120 memcpy(hdr->data + prefix.len, id.ptr, id.len);
121
122 request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
123 }
124
125 /**
126 * Copy EAP-Message attribute from RADIUS message to an new EAP payload
127 */
128 static bool radius2ike(private_eap_radius_t *this,
129 radius_message_t *msg, eap_payload_t **out)
130 {
131 enumerator_t *enumerator;
132 eap_payload_t *payload;
133 chunk_t data, message = chunk_empty;
134 int type;
135
136 enumerator = msg->create_enumerator(msg);
137 while (enumerator->enumerate(enumerator, &type, &data))
138 {
139 if (type == RAT_EAP_MESSAGE && data.len)
140 {
141 message = chunk_cat("mc", message, data);
142 }
143 }
144 enumerator->destroy(enumerator);
145 if (message.len)
146 {
147 *out = payload = eap_payload_create_data(message);
148
149 /* apply EAP method selected by RADIUS server */
150 this->type = payload->get_type(payload, &this->vendor);
151
152 DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &message);
153 free(message.ptr);
154 return TRUE;
155 }
156 return FALSE;
157 }
158
159 /**
160 * Add a set of RADIUS attributes to a request message
161 */
162 static void add_radius_request_attrs(private_eap_radius_t *this,
163 radius_message_t *request)
164 {
165 ike_sa_t *ike_sa;
166 host_t *host;
167 char buf[40];
168 u_int32_t value;
169 chunk_t chunk;
170
171 chunk = chunk_from_str(this->id_prefix);
172 chunk = chunk_cata("cc", chunk, this->peer->get_encoding(this->peer));
173 request->add(request, RAT_USER_NAME, chunk);
174
175 /* virtual NAS-Port-Type */
176 value = htonl(5);
177 request->add(request, RAT_NAS_PORT_TYPE, chunk_from_thing(value));
178 /* framed ServiceType */
179 value = htonl(2);
180 request->add(request, RAT_SERVICE_TYPE, chunk_from_thing(value));
181
182 ike_sa = charon->bus->get_sa(charon->bus);
183 if (ike_sa)
184 {
185 value = htonl(ike_sa->get_unique_id(ike_sa));
186 request->add(request, RAT_NAS_PORT, chunk_from_thing(value));
187 request->add(request, RAT_NAS_PORT_ID,
188 chunk_from_str(ike_sa->get_name(ike_sa)));
189
190 host = ike_sa->get_my_host(ike_sa);
191 chunk = host->get_address(host);
192 switch (host->get_family(host))
193 {
194 case AF_INET:
195 request->add(request, RAT_NAS_IP_ADDRESS, chunk);
196 break;
197 case AF_INET6:
198 request->add(request, RAT_NAS_IPV6_ADDRESS, chunk);
199 default:
200 break;
201 }
202 snprintf(buf, sizeof(buf), "%#H", host);
203 request->add(request, RAT_CALLED_STATION_ID, chunk_from_str(buf));
204 host = ike_sa->get_other_host(ike_sa);
205 snprintf(buf, sizeof(buf), "%#H", host);
206 request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf));
207 }
208
209 eap_radius_forward_from_ike(request);
210 }
211
212 METHOD(eap_method_t, initiate, status_t,
213 private_eap_radius_t *this, eap_payload_t **out)
214 {
215 radius_message_t *request, *response;
216 status_t status = FAILED;
217
218 request = radius_message_create(RMC_ACCESS_REQUEST);
219 add_radius_request_attrs(this, request);
220
221 if (this->eap_start)
222 {
223 request->add(request, RAT_EAP_MESSAGE, chunk_empty);
224 }
225 else
226 {
227 add_eap_identity(this, request);
228 }
229
230 response = this->client->request(this->client, request);
231 if (response)
232 {
233 eap_radius_forward_to_ike(response);
234 switch (response->get_code(response))
235 {
236 case RMC_ACCESS_CHALLENGE:
237 if (radius2ike(this, response, out))
238 {
239 status = NEED_MORE;
240 }
241 break;
242 case RMC_ACCESS_ACCEPT:
243 /* Microsoft RADIUS servers can run in a mode where they respond
244 * like this on the first request (i.e. without authentication),
245 * we treat this as Access-Reject */
246 case RMC_ACCESS_REJECT:
247 default:
248 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
249 this->peer);
250 break;
251 }
252 response->destroy(response);
253 }
254 else
255 {
256 charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
257 }
258 request->destroy(request);
259 return status;
260 }
261
262 /**
263 * Handle the Class attribute as group membership information
264 */
265 static void process_class(private_eap_radius_t *this, radius_message_t *msg)
266 {
267 enumerator_t *enumerator;
268 chunk_t data;
269 int type;
270
271 enumerator = msg->create_enumerator(msg);
272 while (enumerator->enumerate(enumerator, &type, &data))
273 {
274 if (type == RAT_CLASS)
275 {
276 identification_t *id;
277 ike_sa_t *ike_sa;
278 auth_cfg_t *auth;
279
280 if (data.len >= 44)
281 { /* quirk: ignore long class attributes, these are used for
282 * other purposes by some RADIUS servers (such as NPS). */
283 continue;
284 }
285
286 ike_sa = charon->bus->get_sa(charon->bus);
287 if (ike_sa)
288 {
289 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
290 id = identification_create_from_data(data);
291 DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id);
292 auth->add(auth, AUTH_RULE_GROUP, id);
293 }
294 }
295 }
296 enumerator->destroy(enumerator);
297 }
298
299 /**
300 * Handle the Filter-Id attribute as IPsec CHILD_SA name
301 */
302 static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
303 {
304 enumerator_t *enumerator;
305 int type;
306 u_int8_t tunnel_tag;
307 u_int32_t tunnel_type;
308 chunk_t filter_id = chunk_empty, data;
309 bool is_esp_tunnel = FALSE;
310
311 enumerator = msg->create_enumerator(msg);
312 while (enumerator->enumerate(enumerator, &type, &data))
313 {
314 switch (type)
315 {
316 case RAT_TUNNEL_TYPE:
317 if (data.len != 4)
318 {
319 continue;
320 }
321 tunnel_tag = *data.ptr;
322 *data.ptr = 0x00;
323 tunnel_type = untoh32(data.ptr);
324 DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: "
325 "tag = %u, value = %u", tunnel_tag, tunnel_type);
326 is_esp_tunnel = (tunnel_type == RADIUS_TUNNEL_TYPE_ESP);
327 break;
328 case RAT_FILTER_ID:
329 filter_id = data;
330 DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: "
331 "'%.*s'", (int)filter_id.len, filter_id.ptr);
332 break;
333 default:
334 break;
335 }
336 }
337 enumerator->destroy(enumerator);
338
339 if (is_esp_tunnel && filter_id.len)
340 {
341 identification_t *id;
342 ike_sa_t *ike_sa;
343 auth_cfg_t *auth;
344
345 ike_sa = charon->bus->get_sa(charon->bus);
346 if (ike_sa)
347 {
348 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
349 id = identification_create_from_data(filter_id);
350 auth->add(auth, AUTH_RULE_GROUP, id);
351 }
352 }
353 }
354
355 /**
356 * Handle Session-Timeout attribte
357 */
358 static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
359 {
360 enumerator_t *enumerator;
361 ike_sa_t *ike_sa;
362 chunk_t data;
363 int type;
364
365 enumerator = msg->create_enumerator(msg);
366 while (enumerator->enumerate(enumerator, &type, &data))
367 {
368 if (type == RAT_SESSION_TIMEOUT && data.len == 4)
369 {
370 ike_sa = charon->bus->get_sa(charon->bus);
371 if (ike_sa)
372 {
373 ike_sa->set_auth_lifetime(ike_sa, untoh32(data.ptr));
374 }
375 }
376 }
377 enumerator->destroy(enumerator);
378 }
379
380 /**
381 * Handle Framed-IP-Address and other IKE configuration attributes
382 */
383 static void process_cfg_attributes(private_eap_radius_t *this,
384 radius_message_t *msg)
385 {
386 eap_radius_provider_t *provider;
387 enumerator_t *enumerator;
388 ike_sa_t *ike_sa;
389 host_t *host;
390 chunk_t data;
391 int type, vendor;
392
393 ike_sa = charon->bus->get_sa(charon->bus);
394 provider = eap_radius_provider_get();
395 if (provider && ike_sa)
396 {
397 enumerator = msg->create_enumerator(msg);
398 while (enumerator->enumerate(enumerator, &type, &data))
399 {
400 if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4)
401 {
402 host = host_create_from_chunk(AF_INET, data, 0);
403 if (host)
404 {
405 provider->add_framed_ip(provider, this->peer, host);
406 }
407 }
408 }
409 enumerator->destroy(enumerator);
410
411 enumerator = msg->create_vendor_enumerator(msg);
412 while (enumerator->enumerate(enumerator, &vendor, &type, &data))
413 {
414 if (vendor == PEN_ALTIGA /* aka Cisco VPN3000 */)
415 {
416 switch (type)
417 {
418 case 15: /* CVPN3000-IPSec-Banner1 */
419 case 36: /* CVPN3000-IPSec-Banner2 */
420 if (ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
421 {
422 provider->add_attribute(provider, this->peer,
423 UNITY_BANNER, data);
424 }
425 break;
426 default:
427 break;
428 }
429 }
430 }
431 enumerator->destroy(enumerator);
432 }
433 }
434
435 METHOD(eap_method_t, process, status_t,
436 private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
437 {
438 radius_message_t *request, *response;
439 status_t status = FAILED;
440 chunk_t data;
441
442 request = radius_message_create(RMC_ACCESS_REQUEST);
443 add_radius_request_attrs(this, request);
444
445 data = in->get_data(in);
446 DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &data);
447
448 /* fragment data suitable for RADIUS */
449 while (data.len > MAX_RADIUS_ATTRIBUTE_SIZE)
450 {
451 request->add(request, RAT_EAP_MESSAGE,
452 chunk_create(data.ptr,MAX_RADIUS_ATTRIBUTE_SIZE));
453 data = chunk_skip(data, MAX_RADIUS_ATTRIBUTE_SIZE);
454 }
455 request->add(request, RAT_EAP_MESSAGE, data);
456
457 response = this->client->request(this->client, request);
458 if (response)
459 {
460 eap_radius_forward_to_ike(response);
461 switch (response->get_code(response))
462 {
463 case RMC_ACCESS_CHALLENGE:
464 if (radius2ike(this, response, out))
465 {
466 status = NEED_MORE;
467 break;
468 }
469 status = FAILED;
470 break;
471 case RMC_ACCESS_ACCEPT:
472 if (this->class_group)
473 {
474 process_class(this, response);
475 }
476 if (this->filter_id)
477 {
478 process_filter_id(this, response);
479 }
480 process_timeout(this, response);
481 process_cfg_attributes(this, response);
482 DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
483 this->peer);
484 status = SUCCESS;
485 break;
486 case RMC_ACCESS_REJECT:
487 default:
488 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
489 this->peer);
490 status = FAILED;
491 break;
492 }
493 response->destroy(response);
494 }
495 request->destroy(request);
496 return status;
497 }
498
499 METHOD(eap_method_t, get_type, eap_type_t,
500 private_eap_radius_t *this, u_int32_t *vendor)
501 {
502 *vendor = this->vendor;
503 return this->type;
504 }
505
506 METHOD(eap_method_t, get_msk, status_t,
507 private_eap_radius_t *this, chunk_t *out)
508 {
509 chunk_t msk;
510
511 msk = this->client->get_msk(this->client);
512 if (msk.len)
513 {
514 *out = msk;
515 return SUCCESS;
516 }
517 return FAILED;
518 }
519
520 METHOD(eap_method_t, get_identifier, u_int8_t,
521 private_eap_radius_t *this)
522 {
523 return this->identifier;
524 }
525
526 METHOD(eap_method_t, set_identifier, void,
527 private_eap_radius_t *this, u_int8_t identifier)
528 {
529 this->identifier = identifier;
530 }
531
532 METHOD(eap_method_t, is_mutual, bool,
533 private_eap_radius_t *this)
534 {
535 switch (this->type)
536 {
537 case EAP_AKA:
538 case EAP_SIM:
539 return TRUE;
540 default:
541 return FALSE;
542 }
543 }
544
545 METHOD(eap_method_t, destroy, void,
546 private_eap_radius_t *this)
547 {
548 this->peer->destroy(this->peer);
549 this->server->destroy(this->server);
550 this->client->destroy(this->client);
551 free(this);
552 }
553
554 /**
555 * Generic constructor
556 */
557 eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
558 {
559 private_eap_radius_t *this;
560
561 INIT(this,
562 .public = {
563 .eap_method = {
564 .initiate = _initiate,
565 .process = _process,
566 .get_type = _get_type,
567 .is_mutual = _is_mutual,
568 .get_msk = _get_msk,
569 .get_identifier = _get_identifier,
570 .set_identifier = _set_identifier,
571 .destroy = _destroy,
572 },
573 },
574 /* initially EAP_RADIUS, but is set to the method selected by RADIUS */
575 .type = EAP_RADIUS,
576 .eap_start = lib->settings->get_bool(lib->settings,
577 "%s.plugins.eap-radius.eap_start", FALSE,
578 charon->name),
579 .id_prefix = lib->settings->get_str(lib->settings,
580 "%s.plugins.eap-radius.id_prefix", "",
581 charon->name),
582 .class_group = lib->settings->get_bool(lib->settings,
583 "%s.plugins.eap-radius.class_group", FALSE,
584 charon->name),
585 .filter_id = lib->settings->get_bool(lib->settings,
586 "%s.plugins.eap-radius.filter_id", FALSE,
587 charon->name),
588 );
589 this->client = eap_radius_create_client();
590 if (!this->client)
591 {
592 free(this);
593 return NULL;
594 }
595 this->peer = peer->clone(peer);
596 this->server = server->clone(server);
597 return &this->public;
598 }