Overview  Package   Class  Use  Index 
AXL RADIUS Server API V3
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.theorem.radserver3
Class AuthInfo

Object
  extended byPacketInfo
      extended byAuthInfo
public final class AuthInfo
extends PacketInfo

Class to pass information to and from an Access-Request or Access-Challenge.

This is passed to the AccessImpl authenticate() method. It contains methods for determining if the packet is an Access-Request isAccessRequest() or a response to an Access-Challenge isAccessChallengeResponse().

Request attributes are accessed using getRequestAttributeList().

To determine if the packet's password matches the authoritative backing store password there are two options.
A) Encode the backing store's password and compare it to the packet's password using encode() or
B) decode the packet's password and compare it to the authoritative password using decode().
the cmp() method can be used to compare the two passwords. Decoded passwords that will be compared to plain text password should have the trailing padding bytes removed using the trim() method.

An Access-Request may result in several responses.

See Also:
AccessImpl

Field Summary
static int AUTHENTICATION_MSCHAP
          Indicator that the authentication method is MS-CHAP, value = 1.
static int AUTHENTICATION_MSCHAPV2
          Indicator that the authentication method is MS-CHAP V2, value = 2.
static int AUTHENTICATION_NEITHER
          Indicator that the authentication method is neither MS-CHAP nor MS_CHAPV2, value = 3.
static boolean NTHASH_PASSWORD
          Indicates that the MSCHAPV2 password is an NT Hash of the plain text password.
static boolean PLAINTEXT_PASSWORD
          Indicates that the MSCHAPV2 password is plain text.
 
Fields inherited from class PacketInfo
AUTH_LENGTH, AUTH_STATE_OBJECT
 
Method Summary
 boolean cmp(byte[] a, int startA, byte[] b, int startB, int length)
          Compare two byte arrays over a region.
 boolean cmpCHAP(byte[] plaintextPassword)
          Decode and compare a CHAP challenge.
 boolean cmpMSCHAP(byte[] password)
          Decode and compare an MS-CHAP or MS-CHAP 2 challenge.
 boolean cmpMSCHAP(byte[] password, boolean ntHash)
          Decode and compare an MS-CHAP or MS-CHAP 2 challenge.
 boolean cmpMSCHAPV2(byte[] ntHashPassword)
          Decode and compare an MS-CHAP 2 challenge using a NT Hash password.
 Attribute createTunnelPassword(int tag, byte[] password)
          Create a Tunnel-Password attribute.
 EAPInfo getEAP()
          Get the EAP packet information (if the EAP-Message attribute exists).
 InputStream getEAPTLSData()
          Get EAP-TLS data.
 int getEAPTLSDataLength()
          Get EAP-TLS data.
 AttributeList getState()
          Get the State attribute(s) from the incoming attributes.
 Object getStateObject()
          Get the persistent State attribute object from the request attribute list.
 Object getStateObject(byte code)
          Get the persistent State attribute object from the request attribute list.
 boolean isAccessChallengeResponse()
          Determine if this is a response to an Access-Challenge.
 boolean isAccessRequest()
          Determine if this is an answer to an Access-Request.
 void setAccessAccept()
          Indicate that the return packet is an Access-Accept.
 void setAccessChallenge()
          Indicate that the return packet is an Access-Challenge.
 void setAccessReject()
          Indicate that the return packet is an Access-Reject.
 void setMSCHAPErrorCode(String errorCode)
          Set the MS-CHAP error code (Microsoft VSA containing the MS-CHAP-Error sub-attribute).
 void setStateObject(byte code, Object o)
          Set the persistent State object and create a State attribute tracking the object.
 void setStateObject(Object o)
          Set the persistent State object and create a State attribute tracking the object.
 int testForMSCHAP()
          Return an indicator that this is MS-CHAP or MS-CHAPV2.
 
Methods inherited from class PacketInfo
addProxyTarget, appendResponseAttributes, cmp, decode, encode, fromAccountingPort, fromAuthenticationPort, getAuthenticator, getDatagram, getDecodedUserPassword, getHostRealm, getMaximumPacketSize, getMessageID, getModule, getName, getNAS, getPacketID, getPacketTypeName, getPrefix, getProxyClient, getProxyStateAttributesLength, getProxyTargetByRealm, getProxyTargets, getRADIUSServer, getRealm, getRealmInfo, getRealmList, getRequestAttributeList, getRequestAttributes, getRequestType, getRequestTypeName, getResponseAttributeList, getResponseType, getResponseTypeName, getSecret, getServerName, getSourceAddress, getSourcePort, getUserName, getUserPassword, removeProxyTarget, sendV2Trap, setResponseAttributes, setResponseAttributes, setResponseType, translateProxyId, trim
 
Methods inherited from class Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

AUTHENTICATION_MSCHAP

public static final int AUTHENTICATION_MSCHAP
Indicator that the authentication method is MS-CHAP, value = 1.

See Also:
Constant Field Values

AUTHENTICATION_MSCHAPV2

public static final int AUTHENTICATION_MSCHAPV2
Indicator that the authentication method is MS-CHAP V2, value = 2.

See Also:
Constant Field Values

AUTHENTICATION_NEITHER

public static final int AUTHENTICATION_NEITHER
Indicator that the authentication method is neither MS-CHAP nor MS_CHAPV2, value = 3.

See Also:
Constant Field Values

NTHASH_PASSWORD

public static final boolean NTHASH_PASSWORD
Indicates that the MSCHAPV2 password is an NT Hash of the plain text password.

See Also:
Constant Field Values

PLAINTEXT_PASSWORD

public static final boolean PLAINTEXT_PASSWORD
Indicates that the MSCHAPV2 password is plain text.

See Also:
Constant Field Values
Method Detail

cmp

public boolean cmp(byte[] a,
                   int startA,
                   byte[] b,
                   int startB,
                   int length)
Compare two byte arrays over a region.

Parameters:
a - Array A.
startA - The start position for comparing A.
b - Array B.
startB - The start position for comparing B.
length - Length of region.
Returns:
true if the comparison succeeded.

cmpCHAP

public boolean cmpCHAP(byte[] plaintextPassword)
Decode and compare a CHAP challenge.

Parameters:
plaintextPassword - Plain text password to compare.
Returns:
True if the CHAP challenge against the plaintext password succeeded. Returns false if the CHAP-Password attribute is missing or the calculated result is incorrect.

cmpMSCHAP

public boolean cmpMSCHAP(byte[] password)
                  throws AccessRejectException,
                         AccessDropException
Decode and compare an MS-CHAP or MS-CHAP 2 challenge.

Parameters:
password - Plaintext password to compare.
Returns:
true if authentication is succesful. A side effect for MSCHAP V2 is that the response attribute list will contain the a Microsoft VSA containing the MS-CHAP2-Success or MS-CHAP-Error attribute.
Throws:
AccessRejectException - if the authentication failed. The Microsoft Vendor-Specific failure message is placed in the exceptions attribute list.
AccessDropException - if there are any other problems.

cmpMSCHAP

public boolean cmpMSCHAP(byte[] password,
                         boolean ntHash)
                  throws AccessRejectException,
                         AccessDropException
Decode and compare an MS-CHAP or MS-CHAP 2 challenge.

Parameters:
password - Password to compare.
Returns:
true if authentication is succesful. A side effect for MSCHAP V2 is that the response attribute list will contain the a Microsoft VSA containing the MS-CHAP2-Success or MS-CHAP-Error attribute.
Throws:
AccessRejectException - if the authentication failed. The Microsoft Vendor-Specific failure message is placed in the exceptions attribute list.
AccessDropException - if there are any other problems.

cmpMSCHAPV2

public boolean cmpMSCHAPV2(byte[] ntHashPassword)
                    throws AccessRejectException,
                           AccessDropException
Decode and compare an MS-CHAP 2 challenge using a NT Hash password.

Parameters:
ntHashPassword - NT Hashed Password to compare.
Returns:
true if authentication is succesful. A side effect for MSCHAP V2 is that the response attribute list will contain the a Microsoft VSA containing the MS-CHAP2-Success or MS-CHAP-Error attribute.
Throws:
AccessRejectException - if the authentication failed. The Microsoft Vendor-Specific failure message is placed in the exceptions attribute list.
AccessDropException - if there are any other problems.

createTunnelPassword

public Attribute createTunnelPassword(int tag,
                                      byte[] password)
Create a Tunnel-Password attribute.

Parameters:
tag - Tunnel tag.
password - Plain text password to encode. If the password is longer than 255 bytes the client will probably not decode it properly.
Since:
3.29

getEAP

public EAPInfo getEAP()
Get the EAP packet information (if the EAP-Message attribute exists). There may be more than one packet present in a message. They are returned in the order they appeared in the RADIUS attributes.

Returns:
the EAP packet information.

getEAPTLSData

public InputStream getEAPTLSData()
Get EAP-TLS data.

Returns:
EAP-TLS Data.

getEAPTLSDataLength

public int getEAPTLSDataLength()
Get EAP-TLS data.

Returns:
EAP-TLS Data.

getState

public AttributeList getState()
Get the State attribute(s) from the incoming attributes.

Returns:
data from the state attribute or null if it's not present.

getStateObject

public Object getStateObject()
Get the persistent State attribute object from the request attribute list.

This associates an object with a State attribute. The object is saved for a period of time or until explicitly removed.

This is used to associate a State attribute with some locally held information. For example the expected EAP data like the identifier, perhaps the original MD5 challenge, and the anticipated EAP type the client must send.

Note: The object is removed from the persistent session after it is collected. If the object must persist over another session it must be added again. You cannot access it more than once as it will return null on subsequent attempts.

Returns:
State related object. Return null if no State attribute found or no object is related to the State.
See Also:
RADIUSServer.setStateTTL(), setStateObject()

getStateObject

public Object getStateObject(byte code)
Get the persistent State attribute object from the request attribute list. Get the persistent State attribute object from the request attribute list. Code values of greater than 127 (negative code values) are for general use. Positive values are for AXL RADIUS server internal use.

Overrides:
getStateObject in class PacketInfo
Parameters:
code - Code for the particular type of state object to retrieve.
Returns:
State related object. Return null if no State attribute found or no object is related to the State.

isAccessChallengeResponse

public boolean isAccessChallengeResponse()
Determine if this is a response to an Access-Challenge. The presence of the State attribute is the only way to distinguish a regular Access-Request from a response to an Access-Challenge. The client MUST return the State attribute(s) unchanged.

Returns:
True if this is a response to an Access-Challenge packet.

isAccessRequest

public boolean isAccessRequest()
Determine if this is an answer to an Access-Request.

Returns:
True if this is a response to an Access-Challenge packet.

setAccessAccept

public void setAccessAccept()
Indicate that the return packet is an Access-Accept.

setAccessChallenge

public void setAccessChallenge()
Indicate that the return packet is an Access-Challenge.

setAccessReject

public void setAccessReject()
Indicate that the return packet is an Access-Reject.

setMSCHAPErrorCode

public void setMSCHAPErrorCode(String errorCode)
Set the MS-CHAP error code (Microsoft VSA containing the MS-CHAP-Error sub-attribute). Allows setting of the MS-CHAP error code to something like "E=3D647 R=3D0" (which means the account is locked out).

The error code can be applied after a successful authentication but before the response packet has been sent. For example the name and password are correct but the account is locked out - in this case the error code might be set to "E=3D647 R=3D0".

The error code is set with the side effect that all Microsoft VSA's are dropped from the internally maintained AuthInfo response AttributeList and only the Microsoft VSA containing the MS-CHAP-Error will be sent. The new internal response list is returned for examination only.

A draft of RFC 2548 (Microsoft Vendor-specific RADIUS Attributes) includes the format of the error code and some typical RADIUS error codes. Typically the 'C' and 'V' fields are not present. 

 This  field  contains up to 48 octets of specially formatted ASCII
 text, which is interpreted by the authenticating peer.  The format
 of this field is as follows:

    "E=eeeeeeeeee R=r C=cccccccccccccccc V=vvvvvvvvvv"

 where  the  "eeeeeeeeee"  represents  an ASCII representation of a
 decimal error code of up to 10 digits corresponding to one of  the
 following:

    646 ERROR_RESTRICTED_LOGON_HOURS
    647 ERROR_ACCT_DISABLED
    648 ERROR_PASSWD_EXPIRED
    649 ERROR_NO_DIALIN_PERMISSION
    691 ERROR_AUTHENTICATION_FAILURE
    709 ERROR_CHANGING_PASSWORD

 Implementations  should  deal  with  codes not on this list grace-
 fully, however.  Please note that (unlike PPP CHAP),  the  receipt
 of    some    of   these   error   codes   (in   particular,   the
 ERROR_PASSWD_EXPIRED code) will modify the subsequent operation of
 the  MS-CHAP  protocol.   The 'r' is a retry flag (set to '1' if a
 retry is allowed and '0' otherwise), the "cccccccccccccccc" repre-
 sents  16  hexadecimal digits ('0'-'F') specifying a new challenge
 value, and the "vvvvvvvvvv" is a decimal version  code  signifying
 the version of MS-CHAP supported by the server.

Parameters:
errorCode - Error code.

setStateObject

public void setStateObject(byte code,
                           Object o)
Set the persistent State object and create a State attribute tracking the object.

This is used to associate a State attribute with some locally held information. For example the expected EAP data like the identifier, perhaps the original MD5 challenge, and the anticipated EAP type the client must send. Code values of greater than 127 (negative code values) are for general use. Positive values are for AXL RADIUS server internal use.

Overrides:
setStateObject in class PacketInfo
Parameters:
code - Code for this object.
o - Object to persist.
See Also:
RADIUSServer.setStateTTL(), getStateObject(byte code)

setStateObject

public void setStateObject(Object o)
Set the persistent State object and create a State attribute tracking the object.

This is used to associate a State attribute with some locally held information. For example the expected EAP data like the identifier, perhaps the original MD5 challenge, and the anticipated EAP type the client must send.

Parameters:
o - Object to persist.
See Also:
RADIUSServer.setStateTTL(), getStateObject()

testForMSCHAP

public int testForMSCHAP()
Return an indicator that this is MS-CHAP or MS-CHAPV2.

Returns:
AUTHENTICATION_MSCHAP, AUTHENTICATION_MSCHAPV2, or AUTHENTICATION_NEITHER.
Overview  Package   Class  Use  Index 
AXL RADIUS Server API V3
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Submit a bug report or feature request

Copyright 1998-2008 AXL Software. PO Box 97, Viola, Delaware 19979, U.S.A. All Rights Reserved.