Not quite a standard approach to organizing access to a WiFi network (Cisco WLC -> FreeRadius -> PHP -> web page)
I want to share the solution of one nontrivial task. It was necessary to organize convenient access to the wireless network in the office of the organization. The network provides access only to the public internet, nothing connects with the corporate network - a completely isolated system. The only common component is users. To simplify the process, it was decided to do authentication at the Layer 3 level - that is, the network is open, after connecting, you must enter a password to access the Internet ( Cisco WLC Web Auth ).
In principle, everything is simple, accounts are created for each user, and everything is ready. But, due to the lack of helpdesk staff, there was no one to create logins and, moreover, to issue passwords to the staff. The task was to use one of the existing authentication sources, which in a standard situation is quite simple: for example, MS Active Directory can use NPS as the server radius, on LDAP you can connect directly).
In our case, there was one and the other (AD for the network and LDAP for accessing the corporate intranet), but there was no access from the WiFi segment. The maximum that we were able to give is a test AD account and an account for the intranet. They sat down, thought ... and that's what came up
FreeRadius has the ability to request authentication from an external script, such as PHP. This is done like this:
In this case, PHP should only check the login & password and answer either Accept or Reject.
')
Using this, we successfully solved the problem. Diagram of what happened:
The PHP script logs into the intranet page with the '% {User-Name}' '% {User-Password}' `passed to it via curl, checks if this succeeds, and makes echo" Accept "if successful.
Here is the script code (logging into the intranet using IBM Tivoli Access Manager WebSEAL)
Everything worked for glory, everyone was happy ... except for those who did not remember their intranet password (for some reason, the intranet passwords differed from AD passwords). IT bosses, instead of hinting users that passwords should be remembered by everyone and not just the main one (in this case, AD was the main password), asked us to solve the problem using technical methods.
Luckily, the office had a Citrix XenApp server with a Web Interface accessible from the Internet and MS AD as an authentication source. What they used:
Script code (login on Citrix Web Interface v 5.4)
We decided to go even further, and combined both scripts into one - now the intranet login is checked first, then MS AD via Citrix WI
In principle, everything is simple, accounts are created for each user, and everything is ready. But, due to the lack of helpdesk staff, there was no one to create logins and, moreover, to issue passwords to the staff. The task was to use one of the existing authentication sources, which in a standard situation is quite simple: for example, MS Active Directory can use NPS as the server radius, on LDAP you can connect directly).
In our case, there was one and the other (AD for the network and LDAP for accessing the corporate intranet), but there was no access from the WiFi segment. The maximum that we were able to give is a test AD account and an account for the intranet. They sat down, thought ... and that's what came up
FreeRadius has the ability to request authentication from an external script, such as PHP. This is done like this:
authorize{ update control { Auth-Type := `/usr/bin/php -f /etc/raddb/yourscript.php '%{User-Name}' '%{User-Password}'` } In this case, PHP should only check the login & password and answer either Accept or Reject.
')
Using this, we successfully solved the problem. Diagram of what happened:
The PHP script logs into the intranet page with the '% {User-Name}' '% {User-Password}' `passed to it via curl, checks if this succeeds, and makes echo" Accept "if successful.
Here is the script code (logging into the intranet using IBM Tivoli Access Manager WebSEAL)
$authSuccessful = False; $user = $argv[1]; $password = $argv[2]; $url = 'https://intranet.of.the.company.accessible.from.internet/pkmslogin.form'; $fields_string= "username=".$user."&password=".$password."&login-form-type=pwd&submit=Login"; //open connection $ch = curl_init(); //set the url, number of POST vars, POST data curl_setopt($ch,CURLOPT_URL, $url); curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string); curl_setopt($ch,CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"); curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE); curl_setopt($ch,CURLOPT_COOKIEJAR, "cookie.txt"); curl_setopt($ch,CURLOPT_COOKIEFILE, "cookie.txt"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt($ch, CURLOPT_POSTREDIR, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER, true); //execute post $result = curl_exec($ch); curl_close($ch); if (strpos($result,'Your login was successful') !== false) $authSuccessful = True; if ($authSuccessful == True) echo "Accept\n"; else echo "Reject\n"; Everything worked for glory, everyone was happy ... except for those who did not remember their intranet password (for some reason, the intranet passwords differed from AD passwords). IT bosses, instead of hinting users that passwords should be remembered by everyone and not just the main one (in this case, AD was the main password), asked us to solve the problem using technical methods.
Luckily, the office had a Citrix XenApp server with a Web Interface accessible from the Internet and MS AD as an authentication source. What they used:
Script code (login on Citrix Web Interface v 5.4)
$authSuccessful = False; $user = $argv[1]; $password = $argv[2]; //WebInterface 5.4.x $url = 'https://the.web.interface.of.citrix.xenapp/Citrix/XenApp/auth/login.aspx'; $fields_string= "user=".$user."&password=".$password."&LoginType=Explicit"; //open connection $ch = curl_init(); //set the url, number of POST vars, POST data curl_setopt($ch,CURLOPT_URL, $url); curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string); curl_setopt($ch,CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"); curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE); curl_setopt($ch,CURLOPT_COOKIEJAR, "cookie.txt"); curl_setopt($ch,CURLOPT_COOKIEFILE, "cookie.txt"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt($ch, CURLOPT_POSTREDIR, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER, true); //execute post $result = curl_exec($ch); //close connection curl_close($ch); if (strpos($result,'default.aspx') !== false) { $authSuccessful = True; } if ($authSuccessful == True) echo "Accept\n"; else echo "Reject\n"; We decided to go even further, and combined both scripts into one - now the intranet login is checked first, then MS AD via Citrix WI
Final Script Code
$authSuccessful = False; $user = $argv[1]; $password = $argv[2]; $url = 'https://intranet.of.the.company.accessible.from.internet/pkmslogin.form'; $fields_string= "username=".$user."&password=".$password."&login-form-type=pwd&submit=Login"; //open connection $ch = curl_init(); //set the url, number of POST vars, POST data curl_setopt($ch,CURLOPT_URL, $url); curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string); curl_setopt($ch,CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"); curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE); curl_setopt($ch,CURLOPT_COOKIEJAR, "cookie.txt"); curl_setopt($ch,CURLOPT_COOKIEFILE, "cookie.txt"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt($ch, CURLOPT_POSTREDIR, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER, true); //execute post $result = curl_exec($ch); curl_close($ch); if (strpos($result,'Your login was successful') !== false) $authSuccessful = True; if ($authSuccessful == False) { //WebInterface 5.4.x $url = 'https://the.web.interface.of.citrix.xenapp/Citrix/XenApp/auth/login.aspx'; $fields_string= "user=".$user."&password=".$password."&LoginType=Explicit"; //open connection $ch = curl_init(); //set the url, number of POST vars, POST data curl_setopt($ch,CURLOPT_URL, $url); curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string); curl_setopt($ch,CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"); curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE); curl_setopt($ch,CURLOPT_COOKIEJAR, "cookie.txt"); curl_setopt($ch,CURLOPT_COOKIEFILE, "cookie.txt"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt($ch, CURLOPT_POSTREDIR, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER, true); //execute post $result = curl_exec($ch); //close connection curl_close($ch); if (strpos($result,'default.aspx') !== false) { $authSuccessful = True; } } if ($authSuccessful == True) echo "Accept\n"; else echo "Reject\n"; Source: https://habr.com/ru/post/190156/
All Articles