/// <summary> /// Determines whether or not the response indicates that the user account is in "Next Token" mode. /// </summary> /// <param name="response">Response packet sent by the server.</param> /// <returns>True if the user account is in "Next Token" mode; otherwise False.</returns> /// <remarks> /// <para> /// A user's account can enter the "Next Token" mode after the user enters incorrect passwords for a few /// times (3 times by default) and then enters the correct password. Note that repeatedly entering /// incorrect passwords will disable the user account. /// </para> /// <para>NOTE: This method is specific to RSA RADIUS implementation.</para> /// </remarks> public bool IsUserInNextTokenMode(RadiusPacket response) { CheckDisposed(); if (response != null) { byte[] messageBytes = response.GetAttributeValue(AttributeType.ReplyMessage); if (messageBytes != null) { // Unfortunately, the only way of determining whether or not a user account is in the // "Next Token" mode is from the text present in the ReplyMessage attribute of the // AccessChallenge response from server. string messageString = RadiusPacket.Encoding.GetString(messageBytes, 0, messageBytes.Length); if (messageString.ToLower().Contains(m_nextTokenModeMessage.ToLower())) { return true; // User account is in "Next Token" mode. } else { return false; } } else { throw new ArgumentException("ReplyMessage attribute is not present", "response"); } } else { throw new ArgumentNullException("response"); } }
/// <summary> /// Send a request to the server and waits for a response back. /// </summary> /// <param name="request">Request to be sent to the server.</param> /// <returns>Response packet if a valid reponse is received from the server; otherwise Nothing.</returns> public RadiusPacket ProcessRequest(RadiusPacket request) { CheckDisposed(); RadiusPacket response = null; // We wait indefinately for the connection to establish. But since this is UDP, the connection // will always be successful (locally we're binding to any available UDP port). if (m_udpClient.CurrentState == ClientState.Connected) { // We have a UDP socket we can use for exchanging packets. DateTime stopTime; for (int i = 1; i <= m_requestAttempts; i++) { m_responseBytes = null; m_udpClient.Send(request.BinaryImage()); stopTime = DateTime.Now.AddMilliseconds(m_reponseTimeout); while (true) { Thread.Sleep(1); // Stay in the loop until: // 1) We receive a response OR // 2) We exceed the response timeout duration if ((m_responseBytes != null) || DateTime.Now > stopTime) { break; } } if (m_responseBytes != null) { // The server sent a response. response = new RadiusPacket(m_responseBytes, 0, m_responseBytes.Length); if (response.Identifier == request.Identifier && response.Authenticator.CompareTo(RadiusPacket.CreateResponseAuthenticator(m_sharedSecret, request, response)) == 0) { // The response has passed the verification. break; } else { // The response failed the verification, so we'll silently discard it. response = null; } } } } return response; }
/// <summary> /// Authenticates the username and password against the RADIUS server. /// </summary> /// <param name="username">Username to be authenticated.</param> /// <param name="password">Password to be authenticated.</param> /// <param name="state">State value from a previous challenge response.</param> /// <returns>Response packet received from the server for the authentication request.</returns> /// <remarks> /// <para> /// The type of response packet (if any) will be one of the following: /// <list> /// <item>AccessAccept: If the authentication is successful.</item> /// <item>AccessReject: If the authentication is not successful.</item> /// <item>AccessChallenge: If the server need more information from the user.</item> /// </list> /// </para> /// <para> /// When an AccessChallenge response packet is received from the server, it contains a State attribute /// that must be included in the AccessRequest packet that is being sent in response to the AccessChallenge /// response. So if this method returns an AccessChallenge packet, then this method is to be called again /// with the requested information (from ReplyMessage attribute) in the password field and the value State /// attribute. /// </para> /// </remarks> public RadiusPacket Authenticate(string username, string password, byte[] state) { CheckDisposed(); if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password)) { RadiusPacket request = new RadiusPacket(PacketType.AccessRequest); byte[] authenticator = RadiusPacket.CreateRequestAuthenticator(m_sharedSecret); request.Authenticator = authenticator; request.Attributes.Add(new RadiusPacketAttribute(AttributeType.UserName, username)); request.Attributes.Add(new RadiusPacketAttribute(AttributeType.UserPassword, RadiusPacket.EncryptPassword(password, m_sharedSecret, authenticator))); if (state != null) { // State attribute is used when responding to a AccessChallenge reponse. request.Attributes.Add(new RadiusPacketAttribute(AttributeType.State, state)); } return ProcessRequest(request); } else { throw new ArgumentException("Username and Password cannot be null."); } }
/// <summary> /// Generates an "Authenticator" value used in a RADIUS response packet sent by the server to client. /// </summary> /// <param name="sharedSecret">The shared secret key.</param> /// <param name="requestPacket">RADIUS packet sent from client to server.</param> /// <param name="responsePacket">RADIUS packet sent from server to client.</param> /// <returns>A byte array.</returns> public static byte[] CreateResponseAuthenticator(string sharedSecret, RadiusPacket requestPacket, RadiusPacket responsePacket) { // Response authenticator is generated as follows: // MD5(Code + Identifier + Length + Request Authenticator + Attributes + Shared Secret) // where: // Code, Identifier, Length & Attributes are from the response RADIUS packet // Request Authenticator is from the request RADIUS packet // Shared Secret is the shared secret ket int length = responsePacket.BinaryLength; byte[] sharedSecretBytes = Encoding.GetBytes(sharedSecret); byte[] buffer = BufferPool.TakeBuffer(length + sharedSecretBytes.Length); try { responsePacket.GenerateBinaryImage(buffer, 0); Buffer.BlockCopy(requestPacket.BinaryImage(), 4, buffer, 4, 16); Buffer.BlockCopy(sharedSecretBytes, 0, buffer, length, sharedSecretBytes.Length); return new MD5CryptoServiceProvider().ComputeHash(buffer); } finally { if (buffer != null) BufferPool.ReturnBuffer(buffer); } }