diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc index ea4d8cc2ba6..3eab9e8c6c7 100644 --- a/src/etc/inc/captiveportal.inc +++ b/src/etc/inc/captiveportal.inc @@ -1619,10 +1619,9 @@ function captiveportal_authenticate_user(&$login = '', &$password = '', $clientm $msg = null; /* Radius MAC authentication */ - if ($cpcfg['auth_method'] === 'radmac' && $clientmac) { + if ($context === 'radmac' && $clientmac) { if ($authcfg['type'] === 'radius') { $login = mac_format($clientmac); - $password = $cpcfg['radmac_secret']; $status = "MACHINE LOGIN"; } else { /* Trying to perform a Radius MAC authentication on a non-radius server - shouldn't happen! - bail out */ @@ -1650,6 +1649,9 @@ function captiveportal_authenticate_user(&$login = '', &$password = '', $clientm $msg = gettext("Access Denied"); } } + if ($context === 'radmac' && $result === null && empty($attributes['reply_message'])) { + $msg = gettext("RADIUS MAC Authentication Failed."); + } if (empty($status)) { if ($result === true) { @@ -1661,7 +1663,7 @@ function captiveportal_authenticate_user(&$login = '', &$password = '', $clientm } } - if ($cpcfg['auth_method'] === 'radmac' && $login == mac_format($clientmac) || $authcfg['type'] === 'none' && empty($login)) { + if ($context === 'radmac' && $login == mac_format($clientmac) || $authcfg['type'] === 'none' && empty($login)) { $login = "unauthenticated"; } // We determine a flag diff --git a/src/usr/local/captiveportal/index.php b/src/usr/local/captiveportal/index.php index 68da018ad7e..85863196845 100644 --- a/src/usr/local/captiveportal/index.php +++ b/src/usr/local/captiveportal/index.php @@ -184,7 +184,11 @@ } elseif ($_POST['accept'] || $cpcfg['auth_method'] === 'radmac') { - if (!empty($_POST['auth_user2'])) { + if ($cpcfg['auth_method'] === 'radmac' && !isset($_POST['accept'])) { + $user = $clientmac; + $passwd = $cpcfg['radmac_secret']; + $context = 'radmac'; // Radius MAC authentication + } elseif (!empty($_POST['auth_user2'])) { $user = $_POST['auth_user2']; $passwd = $_POST['auth_pass2']; $context = 'second'; // Assume users to use the first context if auth_user2 is empty/does not exist @@ -232,11 +236,9 @@ captiveportal_logportalauth($user, $clientmac, $clientip, $auth_result['login_status'], $replymsg); - /*Radius MAC authentication. */ - if ($cpcfg['auth_method'] === 'radmac' && $type !== 'redir') { - echo gettext("RADIUS MAC Authentication Failed."); - ob_flush(); - exit(); + /* Radius MAC authentication. */ + if ($context === 'radmac' && $type !== 'redir' && !isset($cpcfg['radmac_fallback'])) { + echo $replymsg; } else { portal_reply_page($redirurl, $type, $replymsg); } diff --git a/src/usr/local/www/services_captiveportal.php b/src/usr/local/www/services_captiveportal.php index a9c3e719ddd..3b82e18f4ea 100644 --- a/src/usr/local/www/services_captiveportal.php +++ b/src/usr/local/www/services_captiveportal.php @@ -158,6 +158,7 @@ $pconfig['radacct_server'] = $a_cp[$cpzone]['radacct_server']; $pconfig['radacct_enable'] = isset($a_cp[$cpzone]['radacct_enable']); $pconfig['radmac_secret'] = $a_cp[$cpzone]['radmac_secret']; + $pconfig['radmac_fallback'] = isset($a_cp[$cpzone]['radmac_fallback']); $pconfig['reauthenticate'] = isset($a_cp[$cpzone]['reauthenticate']); $pconfig['reauthenticateacct'] = $a_cp[$cpzone]['reauthenticateacct']; $pconfig['httpslogin_enable'] = isset($a_cp[$cpzone]['httpslogin']); @@ -361,6 +362,7 @@ $newcp['radacct_enable'] = $_POST['radacct_enable'] ? true : false; $newcp['reauthenticate'] = $_POST['reauthenticate'] ? true : false; $newcp['radmac_secret'] = $_POST['radmac_secret'] ? $_POST['radmac_secret'] : false; + $newcp['radmac_fallback'] = $_POST['radmac_fallback'] ? true : false; $newcp['reauthenticateacct'] = $_POST['reauthenticateacct']; if ($_POST['httpslogin_enable']) { $newcp['httpslogin'] = true; @@ -955,6 +957,13 @@ function build_authserver_list() { $pconfig['radmac_secret'] ))->setHelp('RADIUS MAC will automatically try to authenticate devices with their MAC address as username, and the password entered below as password. Devices will still need to make one HTTP request to get connected, throught.'); +$section->addInput(new Form_Checkbox( + 'radmac_fallback', + 'Login page Fallback', + 'Display the login page as fallback if RADIUS MAC authentication failed.', + $pconfig['radmac_fallback'] +))->setHelp('When enabled, users will be redirected to the captive portal login page when RADIUS MAC authentication failed.'); + $section->addInput(new Form_Checkbox( 'radiussession_timeout', 'Session timeout', @@ -1230,6 +1239,7 @@ function triggerChangesAuthMethod() { hideCheckbox('reauthenticate', false); hideClass('auth_server', false); hideInput('radmac_secret', true); + hideCheckbox('radmac_fallback', true); $('.auth_server .vouchers_helptext').removeClass('hidden'); } else if(auth_method.indexOf("radmac") === 0) { @@ -1244,6 +1254,7 @@ function triggerChangesAuthMethod() { hideCheckbox('reauthenticate', false); hideClass('auth_server', false); hideInput('radmac_secret', false); + hideCheckbox('radmac_fallback', false); $('.auth_server .vouchers_helptext').addClass('hidden'); } else { // if "none" is selected : we hide most of authentication settings @@ -1251,6 +1262,7 @@ function triggerChangesAuthMethod() { hideCheckbox('reauthenticate', true); hideClass('auth_server', true); hideInput('radmac_secret', true); + hideCheckbox('radmac_fallback', true); }