diff --git a/lib/pf/Switch/Aruba.pm b/lib/pf/Switch/Aruba.pm index 83390368b9db..4b3998f5edf1 100644 --- a/lib/pf/Switch/Aruba.pm +++ b/lib/pf/Switch/Aruba.pm @@ -630,6 +630,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Class'} = 'root'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -650,6 +651,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Class'} = 'read-only'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/Aruba/5400.pm b/lib/pf/Switch/Aruba/5400.pm index 62987fb898a9..dcc751b93334 100644 --- a/lib/pf/Switch/Aruba/5400.pm +++ b/lib/pf/Switch/Aruba/5400.pm @@ -79,6 +79,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Service-Type'} = 'Administrative-User'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -99,6 +100,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Service-Type'} = 'NAS-Prompt-User'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/Aruba/ArubaOS_CX_10_x.pm b/lib/pf/Switch/Aruba/ArubaOS_CX_10_x.pm index 2bfb05d17905..39991102ebe3 100644 --- a/lib/pf/Switch/Aruba/ArubaOS_CX_10_x.pm +++ b/lib/pf/Switch/Aruba/ArubaOS_CX_10_x.pm @@ -85,6 +85,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Service-Type'} = 'Administrative-User'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -105,6 +106,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Service-Type'} = 'NAS-Prompt-User'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/Avaya.pm b/lib/pf/Switch/Avaya.pm index 9be5031c0384..6a39557ddaaa 100644 --- a/lib/pf/Switch/Avaya.pm +++ b/lib/pf/Switch/Avaya.pm @@ -652,6 +652,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Service-Type'} = '7'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); @@ -672,6 +673,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Service-Type'} = '6'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); diff --git a/lib/pf/Switch/Brocade.pm b/lib/pf/Switch/Brocade.pm index 4acedbc5d195..c283103861a4 100644 --- a/lib/pf/Switch/Brocade.pm +++ b/lib/pf/Switch/Brocade.pm @@ -317,6 +317,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Foundry-Privilege-Level'} = '0'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -338,6 +339,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Foundry-Privilege-Level'} = '5'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/Cisco.pm b/lib/pf/Switch/Cisco.pm index cf4fbb46a722..ebdab0c90858 100644 --- a/lib/pf/Switch/Cisco.pm +++ b/lib/pf/Switch/Cisco.pm @@ -1599,6 +1599,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Cisco-AVPair'} = 'shell:priv-lvl=15'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -1620,6 +1621,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Cisco-AVPair'} = 'shell:priv-lvl=3'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/Cisco/ASA.pm b/lib/pf/Switch/Cisco/ASA.pm index 51fcfdefec79..8e133e2bf9a3 100644 --- a/lib/pf/Switch/Cisco/ASA.pm +++ b/lib/pf/Switch/Cisco/ASA.pm @@ -157,6 +157,7 @@ sub returnAuthorizeVPN { my $status = shift @super_reply; my %radius_reply = @super_reply; my $radius_reply_ref = \%radius_reply; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'} if exists $args->{'message'}; return [$status, %$radius_reply_ref] if($status == $RADIUS::RLM_MODULE_USERLOCK); my $role; diff --git a/lib/pf/Switch/Cisco/Cisco_WLC_AireOS.pm b/lib/pf/Switch/Cisco/Cisco_WLC_AireOS.pm index ae93a9fc7821..50754c5b146d 100644 --- a/lib/pf/Switch/Cisco/Cisco_WLC_AireOS.pm +++ b/lib/pf/Switch/Cisco/Cisco_WLC_AireOS.pm @@ -363,6 +363,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Service-Type'} = 'Administrative-User'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -384,6 +385,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Service-Type'} = 'NAS-Prompt-User'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/Dell/N1500.pm b/lib/pf/Switch/Dell/N1500.pm index 234870fd91cf..e07c60ef778a 100644 --- a/lib/pf/Switch/Dell/N1500.pm +++ b/lib/pf/Switch/Dell/N1500.pm @@ -123,6 +123,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Cisco-AVPair'} = 'shell:priv-lvl=15'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -144,6 +145,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Cisco-AVPair'} = 'shell:priv-lvl=3'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/Extreme.pm b/lib/pf/Switch/Extreme.pm index c0b715e3454c..054980a8228e 100644 --- a/lib/pf/Switch/Extreme.pm +++ b/lib/pf/Switch/Extreme.pm @@ -1535,6 +1535,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Service-Type'} = '0'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); @@ -1555,6 +1556,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Service-Type'} = '6'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); diff --git a/lib/pf/Switch/F5.pm b/lib/pf/Switch/F5.pm index 94059a2b9512..497a06001b99 100644 --- a/lib/pf/Switch/F5.pm +++ b/lib/pf/Switch/F5.pm @@ -176,6 +176,7 @@ sub returnAuthorizeVPN { my $radius_reply_ref = {}; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'} if exists $args->{'message'}; my $status; # should this node be kicked out? my $kick = $self->handleRadiusDeny($args); diff --git a/lib/pf/Switch/Fortinet/FortiGate.pm b/lib/pf/Switch/Fortinet/FortiGate.pm index da54d325c5dd..069418fd2649 100644 --- a/lib/pf/Switch/Fortinet/FortiGate.pm +++ b/lib/pf/Switch/Fortinet/FortiGate.pm @@ -271,6 +271,7 @@ sub returnAuthorizeVPN { my $radius_reply_ref = {}; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'} if exists $args->{'message'}; my $status; # should this node be kicked out? my $kick = $self->handleRadiusDeny($args); diff --git a/lib/pf/Switch/Generic.pm b/lib/pf/Switch/Generic.pm index 0c73771d168d..8152e0598b3d 100644 --- a/lib/pf/Switch/Generic.pm +++ b/lib/pf/Switch/Generic.pm @@ -47,6 +47,7 @@ sub returnAuthorizeWrite { my $radius_reply_ref; my $status; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -67,6 +68,7 @@ sub returnAuthorizeRead { my $radius_reply_ref; my $status; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/GenericVPN.pm b/lib/pf/Switch/GenericVPN.pm index 4963c56a279b..e6868f415a62 100644 --- a/lib/pf/Switch/GenericVPN.pm +++ b/lib/pf/Switch/GenericVPN.pm @@ -78,6 +78,7 @@ sub returnAuthorizeVPN { my $radius_reply_ref = {}; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'} if exists $args->{'message'}; my $status; # should this node be kicked out? my $kick = $self->handleRadiusDeny($args); diff --git a/lib/pf/Switch/H3C.pm b/lib/pf/Switch/H3C.pm index 7bc9245dca0d..d5ccc9922831 100644 --- a/lib/pf/Switch/H3C.pm +++ b/lib/pf/Switch/H3C.pm @@ -200,6 +200,7 @@ sub returnAuthorizeWrite { my $radius_reply_ref; my $status; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -220,6 +221,7 @@ sub returnAuthorizeRead { my $radius_reply_ref; my $status; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/HP.pm b/lib/pf/Switch/HP.pm index 41dc08abac7a..887a5f643a8b 100644 --- a/lib/pf/Switch/HP.pm +++ b/lib/pf/Switch/HP.pm @@ -524,6 +524,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Service-Type'} = 'Administrative-User'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -544,6 +545,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Service-Type'} = 'NAS-Prompt-User'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/Juniper.pm b/lib/pf/Switch/Juniper.pm index ed5c39595a52..a8128a25ee23 100644 --- a/lib/pf/Switch/Juniper.pm +++ b/lib/pf/Switch/Juniper.pm @@ -73,6 +73,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Juniper-Local-User-Name'} = 'super-user'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -93,6 +94,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Juniper-Local-User-Name'} = 'read-only'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/OpenVPN.pm b/lib/pf/Switch/OpenVPN.pm index 0412eaa8a076..11af483f7772 100644 --- a/lib/pf/Switch/OpenVPN.pm +++ b/lib/pf/Switch/OpenVPN.pm @@ -98,6 +98,7 @@ sub returnAuthorizeVPN { my $radius_reply_ref = {}; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'} if exists $args->{'message'}; my $status; # should this node be kicked out? my $kick = $self->handleRadiusDeny($args); diff --git a/lib/pf/Switch/Template.pm b/lib/pf/Switch/Template.pm index aa1da4270b94..eed19a71e088 100644 --- a/lib/pf/Switch/Template.pm +++ b/lib/pf/Switch/Template.pm @@ -570,6 +570,7 @@ sub returnCliAuthorize { %radius_reply = @$attrs; } else { $radius_reply{'Reply-Message'} = "Switch $accessType access granted by PacketFence"; + $radius_reply{'Reply-Message'} = $args->{'message'}." . ".$radius_reply{'Reply-Message'} if exists $args->{'message'}; } $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with $accessType access"); diff --git a/lib/pf/Switch/Ubiquiti/EdgeSwitch.pm b/lib/pf/Switch/Ubiquiti/EdgeSwitch.pm index 92ba0387d0bb..d14c19378517 100644 --- a/lib/pf/Switch/Ubiquiti/EdgeSwitch.pm +++ b/lib/pf/Switch/Ubiquiti/EdgeSwitch.pm @@ -110,6 +110,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Cisco-AVPair'} = 'shell:priv-lvl=15'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -131,6 +132,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Cisco-AVPair'} = 'shell:priv-lvl=3'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/Switch/Xirrus.pm b/lib/pf/Switch/Xirrus.pm index bbb0344b47bf..43a58fec865a 100644 --- a/lib/pf/Switch/Xirrus.pm +++ b/lib/pf/Switch/Xirrus.pm @@ -299,6 +299,7 @@ sub returnAuthorizeWrite { my $status; $radius_reply_ref->{'Xirrus-Admin-Role'} = 'read-write'; $radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with write access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeWrite', $args); @@ -320,6 +321,7 @@ sub returnAuthorizeRead { my $status; $radius_reply_ref->{'Xirrus-Admin-Role'} = 'read-only'; $radius_reply_ref->{'Reply-Message'} = "Switch read access granted by PacketFence"; + $radius_reply_ref->{'Reply-Message'} = $args->{'message'}." . ".$radius_reply_ref->{'Reply-Message'} if exists $args->{'message'}; $logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} with read access"); my $filter = pf::access_filter::radius->new; my $rule = $filter->test('returnAuthorizeRead', $args); diff --git a/lib/pf/mfa/Akamai.pm b/lib/pf/mfa/Akamai.pm index ce51e6dc6095..3c54e53ac354 100644 --- a/lib/pf/mfa/Akamai.pm +++ b/lib/pf/mfa/Akamai.pm @@ -113,7 +113,7 @@ our %METHOD_ALIAS =( our %METHOD_LOOKUP =( "push" => "push", - "sms" => "sms_otp", + "sms" => "text_otp", "phone" => "call_otp" ); @@ -127,28 +127,30 @@ sub check_user { my ($self, $username, $otp, $device) = @_; my $logger = get_logger(); my ($devices, $error) = $self->_get_curl("/api/v1/verify/check_user?username=$username"); - + my $message; if ($error == 1) { - $logger->error("Not able to fetch the devices"); - return $FALSE; + $message = "Not able to fetch the devices for user $username"; + $logger->error($message); + return $FALSE, $message; } if (exists($devices->{'result'}->{'policy_decision'})) { if ($devices->{'result'}->{'policy_decision'} eq "bypass") { - $logger->info("Policy decision is bypass, allow access"); - return $TRUE; + $message = "Policy decision is bypass, allow access for user $username"; + $logger->info($message); + return $TRUE, $message; } if ($devices->{'result'}->{'policy_decision'} ne "authenticate_user") { - $logger->error($devices->{'result'}->{'policy_decision'}); - return $FALSE; + $message = $devices->{'result'}->{'policy_decision'}." for user ".$username; + $logger->error($message); + return $FALSE, $message; } } - my @default_device; if (defined($device)) { - @default_device = grep { $_->{'device'} eq $device } @{$devices->{'result'}->{'devices'}}; + @default_device = grep { $_->{'device'} eq $device } @{$devices->{'result'}->{'devices'}}; } else { - @default_device = grep { $_->{'default'} eq "true" } @{$devices->{'result'}->{'devices'}}; + @default_device = $self->select_phone($devices->{'result'}->{'devices'}, $self->radius_mfa_method, undef); } if ($self->radius_mfa_method eq 'push') { @@ -162,40 +164,50 @@ sub check_user { if ( grep $_ eq 'totp', @{$default_device[0]->{'methods'}}) { return $ACTIONS{'totp'}->($self,$default_device[0]->{'device'},$username,$otp,$devices); } else { - $logger->info("Unsupported method totp on device ".$default_device[0]->{'name'}); - return $FALSE; + @default_device = $self->select_phone($devices->{'result'}->{'devices'}, 'totp', undef); + if (!@default_device) { + $message = "No totp support method on device any devices for user $username"; + $logger->info($username); + return $FALSE, $message; + } + return $ACTIONS{'totp'}->($self,$default_device[0]->{'device'},$username,$otp,$devices); } } elsif ($otp =~ /^\d{8,8}$/) { $logger->info("OTP Verification"); return $ACTIONS{'check_auth'}->($self,$default_device[0]->{'device'},$username,$otp,$devices); } elsif ($otp =~ /^(sms|push|phone)(\d?)$/i) { - my @device = $self->select_phone($devices->{'result'}->{'devices'}, $2); my $method = $1; + my @device = $self->select_phone($devices->{'result'}->{'devices'}, $method, $2); foreach my $device (@device) { if ( grep $_ =~ $METHOD_ALIAS{$method}, @{$device->{'methods'}}) { return $ACTIONS{$method}->($self,$device->{'device'},$username,$1,$devices); } else { - $logger->info("Unsupported method on device ".$device->{'name'}); - return $FALSE; + $message = "Unsupported method on device ".$device->{'name'}." for user ".$username; + $logger->info($message); + return $FALSE, $message; } } } else { - $logger->info("Method not supported"); - return $FALSE; + $message = "Method not supported for user $username"; + $logger->info($message); + return $FALSE, $message; } } elsif ($self->radius_mfa_method eq 'sms' || $self->radius_mfa_method eq 'phone') { - my @device = $self->select_phone($devices->{'result'}->{'devices'}, undef); + my @device = $self->select_phone($devices->{'result'}->{'devices'}, $self->radius_mfa_method, undef); foreach my $device (@device) { if ( grep $_ =~ $METHOD_ALIAS{$self->radius_mfa_method}, @{$device->{'methods'}}) { return $ACTIONS{$self->radius_mfa_method}->($self,$device->{'device'},$username,$self->radius_mfa_method); } else { - $logger->info("Unsupported method on device ".$device->{'name'}); - return $FALSE; + $message = "Unsupported method on device ".$device->{'name'}." for user ".$username; + $logger->info($message); + return $FALSE, $message; } } } else { - $logger->error("OTP is empty"); - return $FALSE; + $message = "OTP is empty for user ".$username; + $logger->error($message); + + return $FALSE, $message; } } } @@ -207,7 +219,7 @@ Select the phone to trigger the MFA =cut sub select_phone { - my ($self, $devices, $phone_id) = @_; + my ($self, $devices, $method, $phone_id) = @_; my $logger = get_logger(); my @device; if (defined($phone_id) && $phone_id ne "") { @@ -218,8 +230,7 @@ sub select_phone { # Return the n-1 phone @device = @{$devices}[$phone_id-1]; } else { - # Return the default phone - @device = grep { $_->{'default'} == 1 } @{$devices}; + @device = grep { grep { $_ eq $METHOD_LOOKUP{$method} } @{$_->{'methods'}} } @{$devices}; } return @device; } @@ -233,6 +244,7 @@ totp method sub totp { my ($self, $device, $username, $otp, $devices) = @_; my $logger = get_logger(); + my $message; my $method = "offline_otp"; if (length($otp) == 16) { $method = "bypass_code"; @@ -241,14 +253,17 @@ sub totp { my $post_fields = encode_json({device => $device, method => { $method => {"code" => $otp} } , username => $username}); my ($auth, $error) = $self->_post_curl("/api/v1/verify/start_auth", $post_fields); if ($error) { - return $FALSE; + $message = "Error trigger $method for user $username on $device"; + return $FALSE, $message; } if ($auth->{'result'}->{'status'} eq 'allow') { - $logger->info("Authentication sucessfull on Akamai MFA"); - return $TRUE; + $message = "Authentication sucessfull on Akamai MFA for $username"; + $logger->info($message); + return $TRUE, $message; } - $logger->info("Authentication denied on Akamai MFA, reason: ". $auth->{'result'}->{'status'}->{'deny'}->{'reason'}); - return $FALSE; + $message = "Authentication denied on Akamai MFA, reason: ". $auth->{'result'}->{'status'}->{'deny'}->{'reason'}; + $logger->info($message); + return $FALSE, $message; } =head2 generic_method @@ -260,6 +275,7 @@ generic method sub generic_method { my ($self, $device, $username, $method) =@_; my $logger = get_logger(); + my $message; $logger->info("Trigger $method for user $username"); my $post_fields = encode_json({device => $device, method => $METHOD_LOOKUP{$method}, username => $username}); my ($auth, $error)= cache->compute($device.$METHOD_LOOKUP{$method}, {expires_in => normalize_time($self->cache_duration)}, sub { @@ -267,7 +283,8 @@ sub generic_method { } ); if ($error) { - return $FALSE; + $message = "Error triggering $method for user $username"; + return $FALSE, $message; } # Cache the method to fetch it on the 2nd radius request (TODO: cache expiration should be in config). if (!cache->get($username)) { @@ -279,7 +296,7 @@ sub generic_method { } # Remove the authenticated status of the user since the next radius requests will use OTP cache->remove($username." authenticated"); - return $FALSE; + return $FALSE, "Authentication rejected for user $username, expect a new request with OTP"; } =head2 push @@ -298,19 +315,19 @@ sub push { } ); if ($error) { - return + return $FALSE, "Error trigerring the push for user $username"; } my $i = 0; while($TRUE) { my ($answer, $error) = $self->_get_curl("/api/v1/verify/check_auth?tx=".$auth->{'result'}->{'tx'}); return $FALSE if $error; if ($answer->{'result'} eq 'allow') { - return $TRUE; + return $TRUE, "Push succeeded for user $username"; } sleep(5); last if ($i++ == 6); } - return $FALSE; + return $FALSE , "Push failed for user $username"; } =head2 @@ -322,15 +339,23 @@ check_auth sub check_auth { my ($self, $device, $username, $otp, $devices) = @_; my $logger = get_logger(); + my $message; if (my $infos = cache->get($username)) { my $post_fields = encode_json({tx => $infos->{'tx'}, user_input => $otp}); my ($return, $error) = $self->_get_curl("/api/v1/verify/check_auth?tx=".$infos->{'tx'}."&user_input=".$otp); - return $FALSE if $error; + if ($error) { + $message = "Error trying to verify the OTP code for user $username" + $logger->error($message); + return $FALSE, $message; + } if ($return->{'result'} eq 'allow') { - $logger->info("Authentication successfull"); - return $TRUE; + $message = "Authentication successfull for user $username"; + $logger->info($message); + return $TRUE, $message; } else { - return $FALSE; + $message = "Authentication failed for user $username"; + $logger->error($message); + return $FALSE, $message; } } else { foreach my $device (@{$devices->{'result'}->{'devices'}}) { diff --git a/lib/pf/mfa/TOTP.pm b/lib/pf/mfa/TOTP.pm index f2293f0aeb78..f70f56142c21 100644 --- a/lib/pf/mfa/TOTP.pm +++ b/lib/pf/mfa/TOTP.pm @@ -50,12 +50,14 @@ Get the devices of the user sub check_user { my ($self, $username, $otp, $device) = @_; my $logger = get_logger(); + my $message; if ($self->radius_mfa_method eq 'strip-otp' || $self->radius_mfa_method eq 'second-password') { if ($otp =~ /^\d{6,6}$/) { return $self->verify_otp($username, $otp); } else { - $logger->warn("Method not supported"); - return $FALSE; + $message = "Method not supported for user $username"; + $logger->warn($message); + return $FALSE, $message; } } } @@ -63,19 +65,23 @@ sub check_user { sub verify_otp { my ($self, $username, $otp) = @_; my $logger = get_logger(); + my $message; my $person = person_view($username); if (defined $person->{otp} && $person->{otp} ne '') { my $local_otp = $self->generateCurrentNumber($person->{otp}); if ($otp == $local_otp) { $self->set_mfa_success($username); - $logger->info("OTP token match"); - return $TRUE; + $message = "OTP token match for user $username"; + $logger->info($message); + return $TRUE, $message; } - $logger->info("OTP token doesnt match"); - return $FALSE; + $message = "OTP token doesnt match for user $username"; + $logger->info($message); + return $FALSE, $message; } - $logger->info("The user who try to authenticate hasn't enrolled"); - return $FALSE; + $message = "The user who try to authenticate hasn't enrolled"; + $logger->info($message); + return $FALSE, $message; } sub generateCurrentNumber { diff --git a/lib/pf/radius.pm b/lib/pf/radius.pm index b7432a09b9aa..c477773b78f6 100644 --- a/lib/pf/radius.pm +++ b/lib/pf/radius.pm @@ -913,7 +913,7 @@ sub vpn { my $return = $self->mfa_pre_auth($args, $options, $sources, $extra, $otp, $password); return $return if (ref($return) eq 'ARRAY'); - + $args->{'message'} = $return; if (defined($mac)) { Log::Log4perl::MDC->put( 'mac', $mac ); my $role_obj = new pf::role::custom(); @@ -979,7 +979,7 @@ sub vpn { } $return = $self->mfa_post_auth($args, $options, $sources, $source_id, $extra ,$otp, $password); return $return if (ref($return) eq 'ARRAY'); - + $args->{'message'} = $return; return $self->returnRadiusVpn($args, $options, $sources, $source_id, $extra); } @@ -994,8 +994,8 @@ sub cli { my $source_id = \@$sources; my $return = $self->mfa_pre_auth($args, $options, $sources, $extra, $otp, $password); return $return if (ref($return) eq 'ARRAY'); - - return $self->returnRadiusCli($args, $options, $sources, $source_id, $extra) if $return eq $TRUE; + $args->{'message'} = $return; + return $self->returnRadiusCli($args, $options, $sources, $source_id, $extra) if $return; if (!defined($args->{'radius_request'}->{'MS-CHAP-Challenge'}) && ( !exists($args->{'radius_request'}->{"EAP-Type"}) || ( exists($args->{'radius_request'}->{"EAP-Type"}) && $args->{'radius_request'}->{"EAP-Type"} != $EAP_TLS && $args->{'radius_request'}->{"EAP-Type"} != $MS_EAP_AUTHENTICATION ) ) ) { my $return = $self->authenticate($args, $sources, \$source_id, $extra, $otp, $password); @@ -1004,7 +1004,7 @@ sub cli { $return = $self->mfa_post_auth($args, $options, $sources, $source_id, $extra ,$otp, $password); return $return if (ref($return) eq 'ARRAY'); - + $args->{'message'} = $return; return $self->returnRadiusCli($args, $options, $sources, $source_id, $extra); } @@ -1081,12 +1081,14 @@ sub mfa_post_auth { my $cache = pf::mfa->cache; if (!$cache->get($args->{'radius_request'}->{'User-Name'}." authenticated")) { $cache->set($args->{'radius_request'}->{'User-Name'}." authenticated", $TRUE, normalize_time($mfa->cache_duration)); + return "Authenticated, waiting for the OTP code"; } } else { - my $result = $mfa->check_user($args->{'radius_request'}->{'User-Name'}, $$otp); + my ($result, $message) = $mfa->check_user($args->{'radius_request'}->{'User-Name'}, $$otp); if ($result != $TRUE) { - return [ $RADIUS::RLM_MODULE_FAIL, ('Reply-Message' => "Multi-Factor Authentication failed or triggered") ]; + return [ $RADIUS::RLM_MODULE_FAIL, ('Reply-Message' => $message) ]; } + return $message; } } } @@ -1130,14 +1132,15 @@ sub mfa_pre_auth { if ($mfa->radius_mfa_method eq 'strip-otp' || $mfa->radius_mfa_method eq 'sms' || $mfa->radius_mfa_method eq 'phone') { # Previously did a authentication request ? if (my $infos = $cache->get($args->{'radius_request'}->{'User-Name'})) { - my $result = $mfa->check_user($args->{'radius_request'}->{'User-Name'}, $$password, $infos->{'device'}); + my ($result, $message)= $mfa->check_user($args->{'radius_request'}->{'User-Name'}, $$password, $infos->{'device'}); if ($result != $TRUE) { - return [ $RADIUS::RLM_MODULE_FAIL, ('Reply-Message' => "MFA verification failed") ]; + return [ $RADIUS::RLM_MODULE_FAIL, ('Reply-Message' => $message) ]; } else { if ($caller eq "pf::radius::vpn") { + $args->{'message'} = $message; return $self->returnRadiusVpn($args, $options, $sources, $source_id, $extra); } else { - return $TRUE; + return $message; } } } @@ -1147,26 +1150,28 @@ sub mfa_pre_auth { } elsif ($mfa->radius_mfa_method eq 'second-password') { if (my $authenticated = $cache->get($args->{'radius_request'}->{'User-Name'}." authenticated")) { if ($authenticated) { - my $result = $mfa->check_user($args->{'radius_request'}->{'User-Name'}, $$password); + my ($result, $message) = $mfa->check_user($args->{'radius_request'}->{'User-Name'}, $$password); if ($result != $TRUE) { - return [ $RADIUS::RLM_MODULE_FAIL, ('Reply-Message' => "MFA verification failed")]; + return [ $RADIUS::RLM_MODULE_FAIL, ('Reply-Message' => $message)]; } else { if ($caller eq "pf::radius::vpn") { + $args->{'message'} = $message; return $self->returnRadiusVpn($args, $options, $sources, $source_id, $extra); } else { - return $TRUE; + return $message; } } } else { my $device = $cache->get($args->{'radius_request'}->{'User-Name'}); - my $result = $mfa->check_user($args->{'radius_request'}->{'User-Name'}, $$password, $device); + my ($result, $message) = $mfa->check_user($args->{'radius_request'}->{'User-Name'}, $$password, $device); if ($result != $TRUE) { - return [ $RADIUS::RLM_MODULE_FAIL, ('Reply-Message' => "MFA verification failed") ]; + return [ $RADIUS::RLM_MODULE_FAIL, ('Reply-Message' => $message) ]; } else { if ($caller eq "pf::radius::vpn") { + $args->{'message'} = $message; return $self->returnRadiusVpn($args, $options, $sources, $source_id, $extra); } else { - return $TRUE; + return $message; } } }