use of net.jradius.client.auth.EAPTLSAuthenticator in project opennms by OpenNMS.
the class RadiusAuthMonitor method poll.
/**
* {@inheritDoc}
*
* Radius Authentication Poller
*
* Note that the poller will return SERVICE_AVAILABLE only if the
* authentication Request actually succeeds. A failed authentication
* request will result in SERVICE_UNAVILABLE, although the radius
* server may actually be up.
* @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_AVAILABLE
* @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNAVAILABLE
* @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNRESPONSIVE
* @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_AVAILABLE
* @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNAVAILABLE
* @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNRESPONSIVE
* @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_AVAILABLE
* @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNAVAILABLE
* @see org.opennms.netmgt.poller.ServiceMonitor#SERVICE_UNRESPONSIVE
*/
@Override
public PollStatus poll(MonitoredService svc, Map<String, Object> parameters) {
// Assume that the service is down
PollStatus status = PollStatus.unavailable();
if (parameters == null) {
throw new NullPointerException();
}
final TimeoutTracker tracker = new TimeoutTracker(parameters, DEFAULT_RETRY, DEFAULT_TIMEOUT);
int authport = ParameterMap.getKeyedInteger(parameters, "authport", DEFAULT_AUTH_PORT);
int acctport = ParameterMap.getKeyedInteger(parameters, "acctport", DEFAULT_ACCT_PORT);
String user = ParameterMap.getKeyedString(parameters, "user", DEFAULT_USER);
String password = ParameterMap.getKeyedString(parameters, "password", DEFAULT_PASSWORD);
String secret = ParameterMap.getKeyedString(parameters, "secret", DEFAULT_SECRET);
String authType = ParameterMap.getKeyedString(parameters, "authtype", DEFAULT_AUTH_TYPE);
String nasid = ParameterMap.getKeyedString(parameters, "nasid", DEFAULT_NASID);
String innerProtocol = ParameterMap.getKeyedString(parameters, "inner-protocol", DEFAULT_TTLS_INNER_AUTH_TYPE);
String innerUser = ParameterMap.getKeyedString(parameters, "inner-user", DEFAULT_INNER_USER);
String certFile = ParameterMap.getKeyedString(parameters, "certificate", null);
InetAddress addr = svc.getAddress();
AttributeFactory.loadAttributeDictionary("net.jradius.dictionary.AttributeDictionaryImpl");
int timeout = convertTimeoutToSeconds(ParameterMap.getKeyedInteger(parameters, "timeout", DEFAULT_TIMEOUT));
try {
final RadiusClient rc = new RadiusClient(addr, secret, authport, acctport, timeout);
for (tracker.reset(); tracker.shouldRetry(); tracker.nextAttempt()) {
final AttributeList attributes = new AttributeList();
attributes.add(new Attr_UserName(user));
attributes.add(new Attr_NASIdentifier(nasid));
attributes.add(new Attr_UserPassword(password));
final AccessRequest accessRequest = new AccessRequest(rc, attributes);
final RadiusAuthenticator auth;
if (authType.equalsIgnoreCase("chap")) {
auth = new CHAPAuthenticator();
} else if (authType.equalsIgnoreCase("pap")) {
auth = new PAPAuthenticator();
} else if (authType.equalsIgnoreCase("mschapv1")) {
auth = new MSCHAPv1Authenticator();
} else if (authType.equalsIgnoreCase("mschapv2")) {
auth = new MSCHAPv2Authenticator();
} else if (authType.equalsIgnoreCase("eapmd5") || authType.equalsIgnoreCase("eap-md5")) {
auth = new EAPMD5Authenticator();
} else if (authType.equalsIgnoreCase("eapmschapv2") || authType.equalsIgnoreCase("eap-mschapv2")) {
auth = new EAPMSCHAPv2Authenticator();
} else if (RadiusUtils.isTunneling(authType)) {
if (innerUser == null) {
String reason = "TLS AAA type requested but no inner user defined. Authtype: '" + authType + "'";
RadiusAuthMonitor.LOG.debug(reason);
return PollStatus.unavailable(reason);
}
EAPTLSAuthenticator tlsAuth = null;
if (RadiusUtils.isEAPTTLS(authType)) {
tlsAuth = new EAPTTLSAuthenticator();
final EAPTTLSAuthenticator ttlsAuth = (EAPTTLSAuthenticator) tlsAuth;
if (innerProtocol != DEFAULT_TTLS_INNER_AUTH_TYPE) {
String reason = "RadiusMonitor can only use 'pap' as inner auth protocol, not " + innerProtocol;
LOG.debug(reason);
return PollStatus.unavailable(reason);
} else {
ttlsAuth.setInnerProtocol(innerProtocol);
}
AttributeList attrs = new AttributeList();
attrs.add(new Attr_UserName(innerUser));
attrs.add(new Attr_Password(password));
ttlsAuth.setTunneledAttributes(attrs);
} else if (authType.equalsIgnoreCase("peap")) {
String reason = "Support for eap peap is not ready yet";
LOG.debug(reason);
return PollStatus.unavailable(reason);
}
/* Cert. processing is common to EAPTLS protocols */
/* We trust any certificate for now */
LOG.warn("Server certificate will be trusted");
if (certFile == null)
tlsAuth.setTrustAll(true);
auth = tlsAuth;
} else {
String reason = "Unknown authenticator type '" + authType + "'";
RadiusAuthMonitor.LOG.debug(reason);
return PollStatus.unavailable(reason);
}
tracker.startAttempt();
// The retry should be handled by the RadiusClient because otherwise it will thrown an exception.
RadiusPacket reply = rc.authenticate(accessRequest, auth, ParameterMap.getKeyedInteger(parameters, "retry", DEFAULT_RETRY));
if (reply instanceof AccessAccept) {
double responseTime = tracker.elapsedTimeInMillis();
status = PollStatus.available(responseTime);
LOG.debug("Radius service is AVAILABLE on: {}", addr.getCanonicalHostName());
LOG.debug("poll: responseTime= {}", responseTime);
break;
} else if (reply != null) {
LOG.debug("response returned, but request was not accepted: {}", reply);
}
String reason = "Invalid RADIUS reply: " + reply;
RadiusAuthMonitor.LOG.debug(reason);
status = PollStatus.unavailable(reason);
}
} catch (final Throwable e) {
String reason = "Error while attempting to connect to the RADIUS service on " + addr.getCanonicalHostName();
RadiusAuthMonitor.LOG.debug(reason, e);
status = PollStatus.unavailable(reason);
}
return status;
}
Aggregations