System / Auth / Radius - add MSCHAPv2 support using Crypt_CHAP_MSv2(). As MSCHAPv1 doesn't seem to be frequently used and we currently don't have a server setup for it either, we limit the support to v2 only.

Implemented using the examples in https://github.com/LawnGnome/php-radius/blob/master/examples/radius-auth.php, requires 818fa8e936 for CHAP.php to funciton on php 8.1
2026-03-13 08:09:41 +00:00 · 2023-06-18 17:19:45 +02:00 · 2023-06-18 17:19:45 +02:00 · 58b1ec1ea6
commit 58b1ec1ea6
parent fc93cdb0b0
2 changed files with 51 additions and 0 deletions
--- a/1
+++ b/1
@ -166,6 +166,7 @@ CORE_DEPENDS?=		ca_root_nss \
 			php${CORE_PHP}-ldap \
 			php${CORE_PHP}-pdo \
 			php${CORE_PHP}-pecl-radius \
+			php${CORE_PHP}-pear-Crypt_CHAP \
 			php${CORE_PHP}-phalcon \
 			php${CORE_PHP}-phpseclib \
 			php${CORE_PHP}-session \
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
@ -147,6 +147,31 @@ class Radius extends Base implements IAuthConnector
        }
    }

+    /**
+     * retrieve configuration options
+     * @return array
+     */
+    public function getConfigurationOptions()
+    {
+        $options = [];
+        $options['radius_protocol'] = [];
+        $options['radius_protocol']['name'] = gettext('Protocol');
+        $options['radius_protocol']['type'] = 'dropdown';
+        $options['radius_protocol']['default'] = 'PAP';
+        $options['radius_protocol']['options'] = [
+            'PAP' => 'PAP',
+            'MSCHAPv2' => 'MSCHAPv2'
+        ];
+        $options['radius_protocol']['validate'] = function ($value) {
+            if (!in_array($value, ['PAP', 'MSCHAPv2'])) {
+                return [gettext('Invalid protocol specified')];
+            } else {
+                return [];
+            }
+        };
+        return $options;
+    }
+
    /**
     * return session info
     * @return array mixed named list of authentication properties
@ -423,6 +448,31 @@ class Radius extends Base implements IAuthConnector
                        $error = radius_strerror($radius);
                    }
                    break;
+                case 'MSCHAPv2':
+                    require_once 'Crypt/CHAP.php';
+                    $crpt = new \Crypt_CHAP_MSv2;
+                    $crpt->username = $username;
+                    $crpt->password = $password;
+
+                    $resp = pack(
+                        'CCa16a8a24',
+                        $crpt->chapid,
+                        1,
+                        $crpt->peerChallenge,
+                        str_repeat("\0", 8),
+                        $crpt->challengeResponse()
+                    );
+
+                    if (!radius_put_vendor_attr(
+                        $radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $crpt->authChallenge
+                    )) {
+                        $error = radius_strerror($radius);
+                    } elseif (!radius_put_vendor_attr(
+                        $radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP2_RESPONSE, $resp
+                    )) {
+                        $error = radius_strerror($radius);
+                    }
+                    break;
                default:
                    syslog(LOG_ERR, 'Unsupported protocol ' . $this->protocol);
                    return false;