/// <summary>
/// Determines whether or not the response indicates that the user account is in "Next Token" mode.
/// </summary>
/// <param name="response">Response packet sent by the server.</param>
/// <returns>True if the user account is in "Next Token" mode; otherwise False.</returns>
/// <remarks>
/// <para>
/// A user's account can enter the "Next Token" mode after the user enters incorrect passwords for a few
/// times (3 times by default) and then enters the correct password. Note that repeatedly entering
/// incorrect passwords will disable the user account.
/// </para>
/// <para>NOTE: This method is specific to RSA RADIUS implementation.</para>
/// </remarks>
public bool IsUserInNextTokenMode(RadiusPacket response)
{
CheckDisposed();
if (response != null)
{
byte[] messageBytes = response.GetAttributeValue(AttributeType.ReplyMessage);
if (messageBytes != null)
{
// Unfortunately, the only way of determining whether or not a user account is in the
// "Next Token" mode is from the text present in the ReplyMessage attribute of the
// AccessChallenge response from server.
string messageString = RadiusPacket.Encoding.GetString(messageBytes, 0, messageBytes.Length);
if (messageString.ToLower().Contains(m_nextTokenModeMessage.ToLower()))
{
return true; // User account is in "Next Token" mode.
}
else
{
return false;
}
}
else
{
throw new ArgumentException("ReplyMessage attribute is not present", "response");
}
}
else
{
throw new ArgumentNullException("response");
}
}
/// <summary>
/// Send a request to the server and waits for a response back.
/// </summary>
/// <param name="request">Request to be sent to the server.</param>
/// <returns>Response packet if a valid reponse is received from the server; otherwise Nothing.</returns>
public RadiusPacket ProcessRequest(RadiusPacket request)
{
CheckDisposed();
RadiusPacket response = null;
// We wait indefinately for the connection to establish. But since this is UDP, the connection
// will always be successful (locally we're binding to any available UDP port).
if (m_udpClient.CurrentState == ClientState.Connected)
{
// We have a UDP socket we can use for exchanging packets.
DateTime stopTime;
for (int i = 1; i <= m_requestAttempts; i++)
{
m_responseBytes = null;
m_udpClient.Send(request.BinaryImage());
stopTime = DateTime.Now.AddMilliseconds(m_reponseTimeout);
while (true)
{
Thread.Sleep(1);
// Stay in the loop until:
// 1) We receive a response OR
// 2) We exceed the response timeout duration
if ((m_responseBytes != null) || DateTime.Now > stopTime)
{
break;
}
}
if (m_responseBytes != null)
{
// The server sent a response.
response = new RadiusPacket(m_responseBytes, 0, m_responseBytes.Length);
if (response.Identifier == request.Identifier && response.Authenticator.CompareTo(RadiusPacket.CreateResponseAuthenticator(m_sharedSecret, request, response)) == 0)
{
// The response has passed the verification.
break;
}
else
{
// The response failed the verification, so we'll silently discard it.
response = null;
}
}
}
}
return response;
}
/// <summary>
/// Authenticates the username and password against the RADIUS server.
/// </summary>
/// <param name="username">Username to be authenticated.</param>
/// <param name="password">Password to be authenticated.</param>
/// <param name="state">State value from a previous challenge response.</param>
/// <returns>Response packet received from the server for the authentication request.</returns>
/// <remarks>
/// <para>
/// The type of response packet (if any) will be one of the following:
/// <list>
/// <item>AccessAccept: If the authentication is successful.</item>
/// <item>AccessReject: If the authentication is not successful.</item>
/// <item>AccessChallenge: If the server need more information from the user.</item>
/// </list>
/// </para>
/// <para>
/// When an AccessChallenge response packet is received from the server, it contains a State attribute
/// that must be included in the AccessRequest packet that is being sent in response to the AccessChallenge
/// response. So if this method returns an AccessChallenge packet, then this method is to be called again
/// with the requested information (from ReplyMessage attribute) in the password field and the value State
/// attribute.
/// </para>
/// </remarks>
public RadiusPacket Authenticate(string username, string password, byte[] state)
{
CheckDisposed();
if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
{
RadiusPacket request = new RadiusPacket(PacketType.AccessRequest);
byte[] authenticator = RadiusPacket.CreateRequestAuthenticator(m_sharedSecret);
request.Authenticator = authenticator;
request.Attributes.Add(new RadiusPacketAttribute(AttributeType.UserName, username));
request.Attributes.Add(new RadiusPacketAttribute(AttributeType.UserPassword, RadiusPacket.EncryptPassword(password, m_sharedSecret, authenticator)));
if (state != null)
{
// State attribute is used when responding to a AccessChallenge reponse.
request.Attributes.Add(new RadiusPacketAttribute(AttributeType.State, state));
}
return ProcessRequest(request);
}
else
{
throw new ArgumentException("Username and Password cannot be null.");
}
}
/// <summary>
/// Generates an "Authenticator" value used in a RADIUS response packet sent by the server to client.
/// </summary>
/// <param name="sharedSecret">The shared secret key.</param>
/// <param name="requestPacket">RADIUS packet sent from client to server.</param>
/// <param name="responsePacket">RADIUS packet sent from server to client.</param>
/// <returns>A byte array.</returns>
public static byte[] CreateResponseAuthenticator(string sharedSecret, RadiusPacket requestPacket, RadiusPacket responsePacket)
{
// Response authenticator is generated as follows:
// MD5(Code + Identifier + Length + Request Authenticator + Attributes + Shared Secret)
// where:
// Code, Identifier, Length & Attributes are from the response RADIUS packet
// Request Authenticator is from the request RADIUS packet
// Shared Secret is the shared secret ket
int length = responsePacket.BinaryLength;
byte[] sharedSecretBytes = Encoding.GetBytes(sharedSecret);
byte[] buffer = BufferPool.TakeBuffer(length + sharedSecretBytes.Length);
try
{
responsePacket.GenerateBinaryImage(buffer, 0);
Buffer.BlockCopy(requestPacket.BinaryImage(), 4, buffer, 4, 16);
Buffer.BlockCopy(sharedSecretBytes, 0, buffer, length, sharedSecretBytes.Length);
return new MD5CryptoServiceProvider().ComputeHash(buffer);
}
finally
{
if (buffer != null)
BufferPool.ReturnBuffer(buffer);
}
}