From: Alan T. DeKok Date: Tue, 21 Feb 2012 13:54:08 +0000 (+0100) Subject: Added virtual server support X-Git-Tag: release_3_0_0_beta0~302 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=033d32275e9933aa80a5914cae580b121862a2e3;p=thirdparty%2Ffreeradius-server.git Added virtual server support To make it simpler, and like the rest of the system --- diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index 35441e2f056..6cc2eea03c2 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -79,11 +79,21 @@ # EAP-pwd -- secure password-based authentication # pwd { - group = 19 - # - server_id = theserver@example.com - # - fragment_size = 1020 + group = 19 + + # + server_id = theserver@example.com + + # This has the same meaning as for TLS. + fragment_size = 1020 + + # The virtual server which determines the + # "known good" password for the user. + # Note that unlike TLS, only the "authorize" + # section is processed. EAP-PWD requests can be + # distinguished by having a User-Name, but + # no User-Password, CHAP-Password, EAP-Message, etc. + virtual_server = "inner-tunnel" } # Cisco LEAP diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c index 1b6b7e3c7e2..e467daec957 100644 --- a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c +++ b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c @@ -50,6 +50,8 @@ static CONF_PARSER pwd_module_config[] = { offsetof(EAP_PWD_CONF, fragment_size), NULL, "1020"}, { "server_id", PW_TYPE_STRING_PTR, offsetof(EAP_PWD_CONF, server_id), NULL, NULL }, + { "virtual_server", PW_TYPE_STRING_PTR, + offsetof(EAP_PWD_CONF, virtual_server), NULL, NULL }, { NULL, -1, 0, NULL, NULL } }; @@ -301,7 +303,7 @@ eap_pwd_authenticate (void *arg, EAP_HANDLER *handler) pwd_id_packet *id; EAP_PACKET *response; REQUEST *request, *fake; - VALUE_PAIR *pw, **outvps; + VALUE_PAIR *pw, **outvps, *vp; EAP_DS *eap_ds; int len, ret = 0; eap_pwd_t *inst = (eap_pwd_t *)arg; @@ -443,7 +445,42 @@ eap_pwd_authenticate (void *arg, EAP_HANDLER *handler) pwd_session->peer_id_len); fake->username->length = pwd_session->peer_id_len; fake->username->vp_strvalue[fake->username->length] = 0; - module_authorize(0, fake); + + if ((vp = pairfind(request->config_items, PW_VIRTUAL_SERVER, 0)) != NULL) { + fake->server = vp->vp_strvalue; + + } else if (inst->conf->virtual_server) { + fake->server = inst->conf->virtual_server; + + } /* else fake->server == request->server */ + + if ((debug_flag > 0) && fr_log_fp) { + RDEBUG("Sending tunneled request"); + + debug_pair_list(fake->packet->vps); + + fprintf(fr_log_fp, "server %s {\n", + (fake->server == NULL) ? "" : fake->server); + } + + /* + * Call authorization recursively, which will + * get the password. + */ + module_authorize(0, fake); + + /* + * Note that we don't do *anything* with the reply + * attributes. + */ + if ((debug_flag > 0) && fr_log_fp) { + fprintf(fr_log_fp, "} # server %s\n", + (fake->server == NULL) ? "" : fake->server); + + RDEBUG("Got tunneled reply code %d", fake->reply->code); + + debug_pair_list(fake->reply->vps); + } if ((pw = pairfind(fake->config_items, PW_CLEARTEXT_PASSWORD, 0)) == NULL) { DEBUG2("failed to find password for %s to do pwd authentication", diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h index 70cedd5bc02..e229f95d184 100644 --- a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h +++ b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h @@ -43,6 +43,7 @@ typedef struct eap_pwd_conf { int group; int fragment_size; char *server_id; + char *virtual_server; } EAP_PWD_CONF; typedef struct _eap_pwd_t {