/** called when the lcp is up */
void
ppp_lcp_up(npppd_ppp *_this)
{
#ifdef USE_NPPPD_MPPE
if (MPPE_REQUIRED(_this) && !MPPE_MUST_NEGO(_this)) {
ppp_log(_this, LOG_ERR, "MPPE is required, auth protocol must "
"be MS-CHAP-V2 or EAP");
ppp_stop(_this, "Encryption required");
return;
}
#endif
/*
* Use our MRU value even if the peer insists on larger value.
* We set the peer_mtu here, the value will be used as the MTU of the
* routing entry. So we will not receive packets larger than the MTU.
*/
if (_this->peer_mru > _this->mru)
_this->peer_mru = _this->mru;
if (_this->peer_auth != 0 && _this->auth_runonce == 0) {
if (AUTH_IS_PAP(_this)) {
pap_start(&_this->pap);
_this->auth_runonce = 1;
return;
}
if (AUTH_IS_CHAP(_this)) {
chap_start(&_this->chap);
_this->auth_runonce = 1;
return;
}
#ifdef USE_NPPPD_EAP_RADIUS
if (AUTH_IS_EAP(_this)) {
eap_init(&_this->eap, _this);
eap_start(&_this->eap);
return;
}
#endif
}
if (_this->peer_auth == 0)
ppp_auth_ok(_this);
}
/*
* EAP authorization DEPENDS on other rlm authorizations,
* to check for user existance & get their configured values.
* It Handles EAP-START Messages, User-Name initilization.
*/
static rlm_rcode_t mod_authorize(void *instance, REQUEST *request)
{
rlm_eap_t *inst;
int status;
VALUE_PAIR *vp;
inst = (rlm_eap_t *)instance;
#ifdef WITH_PROXY
/*
* We don't do authorization again, once we've seen the
* proxy reply (or the proxied packet)
*/
if (request->proxy != NULL)
return RLM_MODULE_NOOP;
#endif
/*
* For EAP_START, send Access-Challenge with EAP Identity
* request. even when we have to proxy this request
*
* RFC 2869, Section 2.3.1 notes that the "domain" of the
* user, (i.e. where to proxy him) comes from the EAP-Identity,
* so we CANNOT proxy the user, until we know his identity.
*
* We therefore send an EAP Identity request.
*/
status = eap_start(inst, request);
switch(status) {
case EAP_NOOP:
return RLM_MODULE_NOOP;
case EAP_FAIL:
return RLM_MODULE_FAIL;
case EAP_FOUND:
return RLM_MODULE_HANDLED;
case EAP_OK:
case EAP_NOTFOUND:
default:
break;
}
/*
* RFC 2869, Section 2.3.1. If a NAS sends an EAP-Identity,
* it MUST copy the identity into the User-Name attribute.
*
* But we don't worry about that too much. We depend on
* each EAP sub-module to look for handler->request->username,
* and to get excited if it doesn't appear.
*/
vp = pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY);
if ((!vp) || (vp->vp_integer != PW_AUTHTYPE_REJECT)) {
vp = pairmake_config("Auth-Type", inst->xlat_name, T_OP_EQ);
if (!vp) {
RDEBUG2("Failed to create Auth-Type %s: %s\n",
inst->xlat_name, fr_strerror());
return RLM_MODULE_FAIL;
}
} else {
RDEBUG2W("Auth-Type already set. Not setting to EAP");
}
if (status == EAP_OK) return RLM_MODULE_OK;
return RLM_MODULE_UPDATED;
}
