Search in sources :

Example 1 with EAPTLSAuthenticator

use of net.jradius.client.auth.EAPTLSAuthenticator in project opennms by OpenNMS.

the class RadiusAuthMonitor method poll.

/**
 * {@inheritDoc}
 *
 * Radius Authentication Poller
 *
 * Note that the poller will return SERVICE_AVAILABLE only if the
 * authentication Request actually succeeds. A failed authentication
 * request will result in SERVICE_UNAVILABLE, although the radius
 * server may actually be up.
 * @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_AVAILABLE
 * @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNAVAILABLE
 * @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNRESPONSIVE
 * @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_AVAILABLE
 * @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNAVAILABLE
 * @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNRESPONSIVE
 * @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_AVAILABLE
 * @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNAVAILABLE
 * @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNRESPONSIVE
 */
@Override
public PollStatus poll(MonitoredService svc, Map<String, Object> parameters) {
    // Assume that the service is down
    PollStatus status = PollStatus.unavailable();
    if (parameters == null) {
        throw new NullPointerException();
    }
    final TimeoutTracker tracker = new TimeoutTracker(parameters, DEFAULT_RETRY, DEFAULT_TIMEOUT);
    int authport = ParameterMap.getKeyedInteger(parameters, "authport", DEFAULT_AUTH_PORT);
    int acctport = ParameterMap.getKeyedInteger(parameters, "acctport", DEFAULT_ACCT_PORT);
    String user = ParameterMap.getKeyedString(parameters, "user", DEFAULT_USER);
    String password = ParameterMap.getKeyedString(parameters, "password", DEFAULT_PASSWORD);
    String secret = ParameterMap.getKeyedString(parameters, "secret", DEFAULT_SECRET);
    String authType = ParameterMap.getKeyedString(parameters, "authtype", DEFAULT_AUTH_TYPE);
    String nasid = ParameterMap.getKeyedString(parameters, "nasid", DEFAULT_NASID);
    String innerProtocol = ParameterMap.getKeyedString(parameters, "inner-protocol", DEFAULT_TTLS_INNER_AUTH_TYPE);
    String innerUser = ParameterMap.getKeyedString(parameters, "inner-user", DEFAULT_INNER_USER);
    String certFile = ParameterMap.getKeyedString(parameters, "certificate", null);
    InetAddress addr = svc.getAddress();
    AttributeFactory.loadAttributeDictionary("net.jradius.dictionary.AttributeDictionaryImpl");
    int timeout = convertTimeoutToSeconds(ParameterMap.getKeyedInteger(parameters, "timeout", DEFAULT_TIMEOUT));
    try {
        final RadiusClient rc = new RadiusClient(addr, secret, authport, acctport, timeout);
        for (tracker.reset(); tracker.shouldRetry(); tracker.nextAttempt()) {
            final AttributeList attributes = new AttributeList();
            attributes.add(new Attr_UserName(user));
            attributes.add(new Attr_NASIdentifier(nasid));
            attributes.add(new Attr_UserPassword(password));
            final AccessRequest accessRequest = new AccessRequest(rc, attributes);
            final RadiusAuthenticator auth;
            if (authType.equalsIgnoreCase("chap")) {
                auth = new CHAPAuthenticator();
            } else if (authType.equalsIgnoreCase("pap")) {
                auth = new PAPAuthenticator();
            } else if (authType.equalsIgnoreCase("mschapv1")) {
                auth = new MSCHAPv1Authenticator();
            } else if (authType.equalsIgnoreCase("mschapv2")) {
                auth = new MSCHAPv2Authenticator();
            } else if (authType.equalsIgnoreCase("eapmd5") || authType.equalsIgnoreCase("eap-md5")) {
                auth = new EAPMD5Authenticator();
            } else if (authType.equalsIgnoreCase("eapmschapv2") || authType.equalsIgnoreCase("eap-mschapv2")) {
                auth = new EAPMSCHAPv2Authenticator();
            } else if (RadiusUtils.isTunneling(authType)) {
                if (innerUser == null) {
                    String reason = "TLS AAA type requested but no inner user defined. Authtype: '" + authType + "'";
                    RadiusAuthMonitor.LOG.debug(reason);
                    return PollStatus.unavailable(reason);
                }
                EAPTLSAuthenticator tlsAuth = null;
                if (RadiusUtils.isEAPTTLS(authType)) {
                    tlsAuth = new EAPTTLSAuthenticator();
                    final EAPTTLSAuthenticator ttlsAuth = (EAPTTLSAuthenticator) tlsAuth;
                    if (innerProtocol != DEFAULT_TTLS_INNER_AUTH_TYPE) {
                        String reason = "RadiusMonitor can only use 'pap' as inner auth protocol, not " + innerProtocol;
                        LOG.debug(reason);
                        return PollStatus.unavailable(reason);
                    } else {
                        ttlsAuth.setInnerProtocol(innerProtocol);
                    }
                    AttributeList attrs = new AttributeList();
                    attrs.add(new Attr_UserName(innerUser));
                    attrs.add(new Attr_Password(password));
                    ttlsAuth.setTunneledAttributes(attrs);
                } else if (authType.equalsIgnoreCase("peap")) {
                    String reason = "Support for eap peap is not ready yet";
                    LOG.debug(reason);
                    return PollStatus.unavailable(reason);
                }
                /* Cert. processing is common to EAPTLS protocols */
                /* We trust any certificate for now */
                LOG.warn("Server certificate will be trusted");
                if (certFile == null)
                    tlsAuth.setTrustAll(true);
                auth = tlsAuth;
            } else {
                String reason = "Unknown authenticator type '" + authType + "'";
                RadiusAuthMonitor.LOG.debug(reason);
                return PollStatus.unavailable(reason);
            }
            tracker.startAttempt();
            // The retry should be handled by the RadiusClient because otherwise it will thrown an exception.
            RadiusPacket reply = rc.authenticate(accessRequest, auth, ParameterMap.getKeyedInteger(parameters, "retry", DEFAULT_RETRY));
            if (reply instanceof AccessAccept) {
                double responseTime = tracker.elapsedTimeInMillis();
                status = PollStatus.available(responseTime);
                LOG.debug("Radius service is AVAILABLE on: {}", addr.getCanonicalHostName());
                LOG.debug("poll: responseTime= {}", responseTime);
                break;
            } else if (reply != null) {
                LOG.debug("response returned, but request was not accepted: {}", reply);
            }
            String reason = "Invalid RADIUS reply: " + reply;
            RadiusAuthMonitor.LOG.debug(reason);
            status = PollStatus.unavailable(reason);
        }
    } catch (final Throwable e) {
        String reason = "Error while attempting to connect to the RADIUS service on " + addr.getCanonicalHostName();
        RadiusAuthMonitor.LOG.debug(reason, e);
        status = PollStatus.unavailable(reason);
    }
    return status;
}
Also used : PollStatus(org.opennms.netmgt.poller.PollStatus) RadiusClient(net.jradius.client.RadiusClient) AttributeList(net.jradius.packet.attribute.AttributeList) EAPMSCHAPv2Authenticator(net.jradius.client.auth.EAPMSCHAPv2Authenticator) MSCHAPv1Authenticator(net.jradius.client.auth.MSCHAPv1Authenticator) Attr_Password(net.jradius.dictionary.Attr_Password) Attr_UserPassword(net.jradius.dictionary.Attr_UserPassword) EAPTLSAuthenticator(net.jradius.client.auth.EAPTLSAuthenticator) EAPMSCHAPv2Authenticator(net.jradius.client.auth.EAPMSCHAPv2Authenticator) MSCHAPv2Authenticator(net.jradius.client.auth.MSCHAPv2Authenticator) EAPTTLSAuthenticator(net.jradius.client.auth.EAPTTLSAuthenticator) TimeoutTracker(org.opennms.core.utils.TimeoutTracker) PAPAuthenticator(net.jradius.client.auth.PAPAuthenticator) RadiusAuthenticator(net.jradius.client.auth.RadiusAuthenticator) AccessRequest(net.jradius.packet.AccessRequest) EAPMD5Authenticator(net.jradius.client.auth.EAPMD5Authenticator) CHAPAuthenticator(net.jradius.client.auth.CHAPAuthenticator) RadiusPacket(net.jradius.packet.RadiusPacket) Attr_UserName(net.jradius.dictionary.Attr_UserName) InetAddress(java.net.InetAddress) Attr_NASIdentifier(net.jradius.dictionary.Attr_NASIdentifier) AccessAccept(net.jradius.packet.AccessAccept)

Aggregations

InetAddress (java.net.InetAddress)1 RadiusClient (net.jradius.client.RadiusClient)1 CHAPAuthenticator (net.jradius.client.auth.CHAPAuthenticator)1 EAPMD5Authenticator (net.jradius.client.auth.EAPMD5Authenticator)1 EAPMSCHAPv2Authenticator (net.jradius.client.auth.EAPMSCHAPv2Authenticator)1 EAPTLSAuthenticator (net.jradius.client.auth.EAPTLSAuthenticator)1 EAPTTLSAuthenticator (net.jradius.client.auth.EAPTTLSAuthenticator)1 MSCHAPv1Authenticator (net.jradius.client.auth.MSCHAPv1Authenticator)1 MSCHAPv2Authenticator (net.jradius.client.auth.MSCHAPv2Authenticator)1 PAPAuthenticator (net.jradius.client.auth.PAPAuthenticator)1 RadiusAuthenticator (net.jradius.client.auth.RadiusAuthenticator)1 Attr_NASIdentifier (net.jradius.dictionary.Attr_NASIdentifier)1 Attr_Password (net.jradius.dictionary.Attr_Password)1 Attr_UserName (net.jradius.dictionary.Attr_UserName)1 Attr_UserPassword (net.jradius.dictionary.Attr_UserPassword)1 AccessAccept (net.jradius.packet.AccessAccept)1 AccessRequest (net.jradius.packet.AccessRequest)1 RadiusPacket (net.jradius.packet.RadiusPacket)1 AttributeList (net.jradius.packet.attribute.AttributeList)1 TimeoutTracker (org.opennms.core.utils.TimeoutTracker)1