Gitiles
Code Review Sign In
gerrit.opencord.org / aaa / 508cec5853523bda5c5f33d03727f5db1ec4a24e / . / src / main / java / org / onosproject / aaa / AaaManager.java
blob: 9bd65a098efb7421fc5a70dc081196ff53f58c90 [file] [log] [blame]
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]1/*
2 * Copyright 2015 AT&T Foundry
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16package org.onosproject.aaa;
17
Ray Milkey508cec52016-02-16 14:23:26 -0800[diff] [blame^]18import java.io.IOException;
19import java.net.DatagramPacket;
20import java.net.DatagramSocket;
21import java.net.InetAddress;
22import java.nio.ByteBuffer;
23import java.util.concurrent.ExecutorService;
24import java.util.concurrent.Executors;
25
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]26import org.apache.felix.scr.annotations.Activate;
27import org.apache.felix.scr.annotations.Component;
28import org.apache.felix.scr.annotations.Deactivate;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]29import org.apache.felix.scr.annotations.Reference;
30import org.apache.felix.scr.annotations.ReferenceCardinality;
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]31import org.onlab.packet.DeserializationException;
32import org.onlab.packet.EAP;
33import org.onlab.packet.EAPOL;
34import org.onlab.packet.EthType;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]35import org.onlab.packet.Ethernet;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]36import org.onlab.packet.MacAddress;
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]37import org.onlab.packet.RADIUS;
38import org.onlab.packet.RADIUSAttribute;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]39import org.onosproject.core.ApplicationId;
40import org.onosproject.core.CoreService;
41import org.onosproject.net.ConnectPoint;
42import org.onosproject.net.DeviceId;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]43import org.onosproject.net.PortNumber;
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]44import org.onosproject.net.config.ConfigFactory;
45import org.onosproject.net.config.NetworkConfigEvent;
46import org.onosproject.net.config.NetworkConfigListener;
47import org.onosproject.net.config.NetworkConfigRegistry;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]48import org.onosproject.net.flow.DefaultTrafficSelector;
49import org.onosproject.net.flow.DefaultTrafficTreatment;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]50import org.onosproject.net.flow.TrafficSelector;
51import org.onosproject.net.flow.TrafficTreatment;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]52import org.onosproject.net.packet.DefaultOutboundPacket;
53import org.onosproject.net.packet.InboundPacket;
54import org.onosproject.net.packet.OutboundPacket;
55import org.onosproject.net.packet.PacketContext;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]56import org.onosproject.net.packet.PacketProcessor;
57import org.onosproject.net.packet.PacketService;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]58import org.slf4j.Logger;
59
Ray Milkey508cec52016-02-16 14:23:26 -0800[diff] [blame^]60import com.google.common.util.concurrent.ThreadFactoryBuilder;
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]61
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]62import static org.onosproject.net.config.basics.SubjectFactories.APP_SUBJECT_FACTORY;
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]63import static org.onosproject.net.packet.PacketPriority.CONTROL;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]64import static org.slf4j.LoggerFactory.getLogger;
65
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]66/**
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]67 * AAA application for ONOS.
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]68 */
69@Component(immediate = true)
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]70public class AaaManager {
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]71
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]72 // for verbose output
73 private final Logger log = getLogger(getClass());
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]74
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]75 // a list of our dependencies :
76 // to register with ONOS as an application - described next
77 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
78 protected CoreService coreService;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]79
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]80 // to receive Packet-in events that we'll respond to
81 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
82 protected PacketService packetService;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]83
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]84 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]85 protected NetworkConfigRegistry netCfgService;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]86
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]87 // Parsed RADIUS server addresses
88 protected InetAddress radiusIpAddress;
89 protected String radiusMacAddress;
90
91 // NAS IP address
92 protected InetAddress nasIpAddress;
93 protected String nasMacAddress;
94
95 // RADIUS server secret
96 protected String radiusSecret;
97
98 // ID of RADIUS switch
99 protected String radiusSwitch;
100
101 // RADIUS port number
102 protected long radiusPort;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]103
Ray Milkey5d99bd12015-10-06 15:41:30 -0700[diff] [blame]104 // RADIUS server TCP port number
105 protected short radiusServerPort;
106
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]107 // our application-specific event handler
108 private ReactivePacketProcessor processor = new ReactivePacketProcessor();
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]109
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]110 // our unique identifier
111 private ApplicationId appId;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]112
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]113 // Socket used for UDP communications with RADIUS server
114 private DatagramSocket radiusSocket;
115
116 // Executor for RADIUS communication thread
117 private ExecutorService executor;
118
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]119 // Configuration properties factory
120 private final ConfigFactory factory =
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]121 new ConfigFactory<ApplicationId, AaaConfig>(APP_SUBJECT_FACTORY,
122 AaaConfig.class,
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]123 "AAA") {
124 @Override
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]125 public AaaConfig createConfig() {
126 return new AaaConfig();
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]127 }
128 };
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]129
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]130 // Listener for config changes
131 private final InternalConfigListener cfgListener = new InternalConfigListener();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]132
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]133 /**
134 * Builds an EAPOL packet based on the given parameters.
135 *
136 * @param dstMac destination MAC address
137 * @param srcMac source MAC address
138 * @param vlan vlan identifier
139 * @param eapolType EAPOL type
140 * @param eap EAP payload
141 * @return Ethernet frame
142 */
143 private static Ethernet buildEapolResponse(MacAddress dstMac, MacAddress srcMac,
144 short vlan, byte eapolType, EAP eap) {
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]145
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]146 Ethernet eth = new Ethernet();
147 eth.setDestinationMACAddress(dstMac.toBytes());
148 eth.setSourceMACAddress(srcMac.toBytes());
149 eth.setEtherType(EthType.EtherType.EAPOL.ethType().toShort());
150 if (vlan != Ethernet.VLAN_UNTAGGED) {
151 eth.setVlanID(vlan);
152 }
153 //eapol header
154 EAPOL eapol = new EAPOL();
155 eapol.setEapolType(eapolType);
156 eapol.setPacketLength(eap.getLength());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]157
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]158 //eap part
159 eapol.setPayload(eap);
160
161 eth.setPayload(eapol);
162 eth.setPad(true);
163 return eth;
164 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]165
Ray Milkeyfe4fe562016-01-05 13:14:43 -0800[diff] [blame]166 private void initializeLocalState() {
167 try {
168 radiusSocket = new DatagramSocket(radiusServerPort);
169 } catch (Exception ex) {
170 log.error("Can't open RADIUS socket", ex);
171 }
172
173 executor = Executors.newSingleThreadExecutor(
174 new ThreadFactoryBuilder()
175 .setNameFormat("AAA-radius-%d").build());
176 executor.execute(radiusListener);
177 }
178
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]179 @Activate
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]180 public void activate() {
181 netCfgService.addListener(cfgListener);
182 netCfgService.registerConfigFactory(factory);
183
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]184 // "org.onosproject.aaa" is the FQDN of our app
185 appId = coreService.registerApplication("org.onosproject.aaa");
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]186
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]187 cfgListener.reconfigureNetwork(netCfgService.getConfig(appId, AaaConfig.class));
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]188
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]189 // register our event handler
Brian O'Connord9c7da02015-07-29 17:49:24 -0700[diff] [blame]190 packetService.addProcessor(processor, PacketProcessor.director(2));
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]191 requestIntercepts();
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]192
193 StateMachine.initializeMaps();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]194
Ray Milkeyfe4fe562016-01-05 13:14:43 -0800[diff] [blame]195 initializeLocalState();
Jian Li13c67162015-12-09 13:20:34 -0800[diff] [blame]196 log.info("Started");
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]197 }
198
199 @Deactivate
200 public void deactivate() {
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]201 withdrawIntercepts();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]202 // de-register and null our handler
203 packetService.removeProcessor(processor);
204 processor = null;
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]205 StateMachine.destroyMaps();
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]206 radiusSocket.close();
207 executor.shutdownNow();
Jian Li13c67162015-12-09 13:20:34 -0800[diff] [blame]208 log.info("Stopped");
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]209 }
210
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]211 protected void sendRadiusPacket(RADIUS radiusPacket) {
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]212
213 try {
214 final byte[] data = radiusPacket.serialize();
215 final DatagramSocket socket = radiusSocket;
216
217 DatagramPacket packet =
218 new DatagramPacket(data, data.length,
219 radiusIpAddress, radiusServerPort);
220
221 socket.send(packet);
222 } catch (IOException e) {
223 log.info("Cannot send packet to RADIUS server", e);
224 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]225 }
226
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]227 /**
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]228 * Request packet in via PacketService.
229 */
230 private void requestIntercepts() {
231 TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
232 selector.matchEthType(EthType.EtherType.EAPOL.ethType().toShort());
233 packetService.requestPackets(selector.build(),
234 CONTROL, appId);
235 }
236
237 /**
238 * Cancel request for packet in via PacketService.
239 */
240 private void withdrawIntercepts() {
241 TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
242 selector.matchEthType(EthType.EtherType.EAPOL.ethType().toShort());
243 packetService.cancelPackets(selector.build(), CONTROL, appId);
244 }
245
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]246 /**
247 * Send the ethernet packet to the supplicant.
248 *
249 * @param ethernetPkt the ethernet packet
250 * @param connectPoint the connect point to send out
251 */
252 private void sendPacketToSupplicant(Ethernet ethernetPkt, ConnectPoint connectPoint) {
253 TrafficTreatment treatment = DefaultTrafficTreatment.builder().setOutput(connectPoint.port()).build();
254 OutboundPacket packet = new DefaultOutboundPacket(connectPoint.deviceId(),
255 treatment, ByteBuffer.wrap(ethernetPkt.serialize()));
256 packetService.emit(packet);
257 }
258
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]259 // our handler defined as a private inner class
260
261 /**
262 * Packet processor responsible for forwarding packets along their paths.
263 */
264 private class ReactivePacketProcessor implements PacketProcessor {
265 @Override
266 public void process(PacketContext context) {
267
268 // Extract the original Ethernet frame from the packet information
269 InboundPacket pkt = context.inPacket();
270 Ethernet ethPkt = pkt.parsed();
271 if (ethPkt == null) {
272 return;
273 }
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]274 try {
275 // identify if incoming packet comes from supplicant (EAP) or RADIUS
276 switch (EthType.EtherType.lookup(ethPkt.getEtherType())) {
277 case EAPOL:
278 handleSupplicantPacket(context.inPacket());
279 break;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]280 default:
281 log.trace("Skipping Ethernet packet type {}",
282 EthType.EtherType.lookup(ethPkt.getEtherType()));
283 }
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]284 } catch (StateMachineException e) {
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]285 log.warn("Unable to process RADIUS packet:", e);
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]286 }
287 }
288
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]289 /**
290 * Creates and initializes common fields of a RADIUS packet.
291 *
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]292 * @param stateMachine state machine for the request
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]293 * @param eapPacket EAP packet
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]294 * @return RADIUS packet
295 */
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]296 private RADIUS getRadiusPayload(StateMachine stateMachine, byte identifier, EAP eapPacket) {
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]297 RADIUS radiusPayload =
298 new RADIUS(RADIUS.RADIUS_CODE_ACCESS_REQUEST,
299 eapPacket.getIdentifier());
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]300
301 // set Request Authenticator in StateMachine
302 stateMachine.setRequestAuthenticator(radiusPayload.generateAuthCode());
303
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]304 radiusPayload.setIdentifier(identifier);
305 radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME,
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]306 stateMachine.username());
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]307
308 radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP,
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]309 AaaManager.this.nasIpAddress.getAddress());
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]310
311 radiusPayload.encapsulateMessage(eapPacket);
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]312
313 return radiusPayload;
314 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]315
316 /**
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]317 * Handles PAE packets (supplicant).
318 *
319 * @param inPacket Ethernet packet coming from the supplicant
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]320 */
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]321 private void handleSupplicantPacket(InboundPacket inPacket) throws StateMachineException {
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]322 Ethernet ethPkt = inPacket.parsed();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]323 // Where does it come from?
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]324 MacAddress srcMac = ethPkt.getSourceMAC();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]325
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]326 DeviceId deviceId = inPacket.receivedFrom().deviceId();
327 PortNumber portNumber = inPacket.receivedFrom().port();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]328 String sessionId = deviceId.toString() + portNumber.toString();
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]329 StateMachine stateMachine = StateMachine.lookupStateMachineBySessionId(sessionId);
330 if (stateMachine == null) {
Ray Milkey508cec52016-02-16 14:23:26 -0800[diff] [blame^]331 stateMachine = new StateMachine(sessionId);
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]332 }
333
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]334
335 EAPOL eapol = (EAPOL) ethPkt.getPayload();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]336
337 switch (eapol.getEapolType()) {
338 case EAPOL.EAPOL_START:
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]339 stateMachine.start();
340 stateMachine.setSupplicantConnectpoint(inPacket.receivedFrom());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]341
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]342 //send an EAP Request/Identify to the supplicant
343 EAP eapPayload = new EAP(EAP.REQUEST, stateMachine.identifier(), EAP.ATTR_IDENTITY, null);
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]344 Ethernet eth = buildEapolResponse(srcMac, MacAddress.valueOf(nasMacAddress),
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]345 ethPkt.getVlanID(), EAPOL.EAPOL_PACKET,
346 eapPayload);
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]347 stateMachine.setSupplicantAddress(srcMac);
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]348 stateMachine.setVlanId(ethPkt.getVlanID());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]349
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]350 sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]351
352 break;
Qianqian Hub55a1ac2015-12-23 20:44:48 +0800[diff] [blame]353 case EAPOL.EAPOL_LOGOFF:
Ray Milkeyb34b4962016-01-04 10:24:43 -0800[diff] [blame]354 if (stateMachine.state() == StateMachine.STATE_AUTHORIZED) {
355 stateMachine.logoff();
Qianqian Hub55a1ac2015-12-23 20:44:48 +0800[diff] [blame]356 }
357
358 break;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]359 case EAPOL.EAPOL_PACKET:
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]360 RADIUS radiusPayload;
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]361 // check if this is a Response/Identify or a Response/TLS
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]362 EAP eapPacket = (EAP) eapol.getPayload();
363
364 byte dataType = eapPacket.getDataType();
365 switch (dataType) {
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]366
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]367 case EAP.ATTR_IDENTITY:
368 // request id access to RADIUS
369 stateMachine.setUsername(eapPacket.getData());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]370
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]371 radiusPayload = getRadiusPayload(stateMachine, stateMachine.identifier(), eapPacket);
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]372 radiusPayload.addMessageAuthenticator(AaaManager.this.radiusSecret);
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]373
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]374 sendRadiusPacket(radiusPayload);
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]375
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]376 // change the state to "PENDING"
377 stateMachine.requestAccess();
378 break;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]379 case EAP.ATTR_MD5:
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]380 // verify if the EAP identifier corresponds to the
381 // challenge identifier from the client state
382 // machine.
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]383 if (eapPacket.getIdentifier() == stateMachine.challengeIdentifier()) {
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]384 //send the RADIUS challenge response
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]385 radiusPayload =
386 getRadiusPayload(stateMachine,
387 stateMachine.identifier(),
388 eapPacket);
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]389
Qianqian Hub55a1ac2015-12-23 20:44:48 +0800[diff] [blame]390 if (stateMachine.challengeState() != null) {
391 radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE,
392 stateMachine.challengeState());
393 }
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]394 radiusPayload.addMessageAuthenticator(AaaManager.this.radiusSecret);
395 sendRadiusPacket(radiusPayload);
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]396 }
397 break;
398 case EAP.ATTR_TLS:
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]399 // request id access to RADIUS
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]400 radiusPayload = getRadiusPayload(stateMachine, stateMachine.identifier(), eapPacket);
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]401
Qianqian Hub55a1ac2015-12-23 20:44:48 +0800[diff] [blame]402 if (stateMachine.challengeState() != null) {
403 radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE,
404 stateMachine.challengeState());
405 }
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]406 stateMachine.setRequestAuthenticator(radiusPayload.generateAuthCode());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]407
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]408 radiusPayload.addMessageAuthenticator(AaaManager.this.radiusSecret);
409 sendRadiusPacket(radiusPayload);
Ray Milkey5493b512015-10-21 12:13:49 -0700[diff] [blame]410
Ray Milkeyf3790b82015-10-21 16:28:08 -0700[diff] [blame]411 if (stateMachine.state() != StateMachine.STATE_PENDING) {
412 stateMachine.requestAccess();
413 }
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]414
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]415 break;
416 default:
417 return;
418 }
419 break;
420 default:
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]421 log.trace("Skipping EAPOL message {}", eapol.getEapolType());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]422 }
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]423
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]424 }
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]425 }
426
427 class RadiusListener implements Runnable {
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]428
429 /**
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]430 * Handles RADIUS packets.
431 *
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]432 * @param radiusPacket RADIUS packet coming from the RADIUS server.
Ray Milkey17d6c492015-10-27 10:39:42 -0700[diff] [blame]433 * @throws StateMachineException if an illegal state transition is triggered
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]434 */
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]435 protected void handleRadiusPacket(RADIUS radiusPacket) throws StateMachineException {
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]436 StateMachine stateMachine = StateMachine.lookupStateMachineById(radiusPacket.getIdentifier());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]437 if (stateMachine == null) {
438 log.error("Invalid session identifier, exiting...");
439 return;
440 }
441
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]442 EAP eapPayload;
443 Ethernet eth;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]444 switch (radiusPacket.getCode()) {
445 case RADIUS.RADIUS_CODE_ACCESS_CHALLENGE:
Qianqian Hub55a1ac2015-12-23 20:44:48 +0800[diff] [blame]446 RADIUSAttribute radiusAttrState = radiusPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_STATE);
447 byte[] challengeState = null;
448 if (radiusAttrState != null) {
449 challengeState = radiusAttrState.getValue();
450 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]451 eapPayload = radiusPacket.decapsulateMessage();
452 stateMachine.setChallengeInfo(eapPayload.getIdentifier(), challengeState);
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]453 eth = buildEapolResponse(stateMachine.supplicantAddress(),
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]454 MacAddress.valueOf(nasMacAddress),
455 stateMachine.vlanId(),
456 EAPOL.EAPOL_PACKET,
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]457 eapPayload);
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]458 sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]459 break;
460 case RADIUS.RADIUS_CODE_ACCESS_ACCEPT:
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]461 //send an EAPOL - Success to the supplicant.
462 byte[] eapMessage =
463 radiusPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE).getValue();
464 eapPayload = new EAP();
465 eapPayload = (EAP) eapPayload.deserialize(eapMessage, 0, eapMessage.length);
466 eth = buildEapolResponse(stateMachine.supplicantAddress(),
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]467 MacAddress.valueOf(nasMacAddress),
468 stateMachine.vlanId(),
469 EAPOL.EAPOL_PACKET,
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]470 eapPayload);
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]471 sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]472
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]473 stateMachine.authorizeAccess();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]474 break;
475 case RADIUS.RADIUS_CODE_ACCESS_REJECT:
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]476 stateMachine.denyAccess();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]477 break;
478 default:
479 log.warn("Unknown RADIUS message received with code: {}", radiusPacket.getCode());
480 }
481 }
482
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]483
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]484 @Override
485 public void run() {
486 boolean done = false;
487 int packetNumber = 1;
488
489 log.info("UDP listener thread starting up");
490 RADIUS inboundRadiusPacket;
491 while (!done) {
492 try {
Ray Milkey5493b512015-10-21 12:13:49 -0700[diff] [blame]493 byte[] packetBuffer = new byte[RADIUS.RADIUS_MAX_LENGTH];
494 DatagramPacket inboundBasePacket =
495 new DatagramPacket(packetBuffer, packetBuffer.length);
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]496 DatagramSocket socket = radiusSocket;
497 socket.receive(inboundBasePacket);
498 log.info("Packet #{} received", packetNumber++);
499 try {
500 inboundRadiusPacket =
501 RADIUS.deserializer()
502 .deserialize(inboundBasePacket.getData(),
503 0,
504 inboundBasePacket.getLength());
505 handleRadiusPacket(inboundRadiusPacket);
506 } catch (DeserializationException dex) {
507 log.error("Cannot deserialize packet", dex);
508 } catch (StateMachineException sme) {
509 log.error("Illegal state machine operation", sme);
510 }
511
512 } catch (IOException e) {
513 log.info("Socket was closed, exiting listener thread");
514 done = true;
515 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]516 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]517 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]518 }
519
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame]520 RadiusListener radiusListener = new RadiusListener();
521
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]522 private class InternalConfigListener implements NetworkConfigListener {
523
524 /**
Ray Milkeyc9e8dcc2015-12-30 10:31:32 -0800[diff] [blame]525 * Reconfigures the AAA application according to the
526 * configuration parameters passed.
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]527 *
528 * @param cfg configuration object
529 */
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]530 private void reconfigureNetwork(AaaConfig cfg) {
531 AaaConfig newCfg;
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]532 if (cfg == null) {
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]533 newCfg = new AaaConfig();
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]534 } else {
535 newCfg = cfg;
536 }
537 if (newCfg.nasIp() != null) {
538 nasIpAddress = newCfg.nasIp();
539 }
540 if (newCfg.radiusIp() != null) {
541 radiusIpAddress = newCfg.radiusIp();
542 }
543 if (newCfg.radiusMac() != null) {
544 radiusMacAddress = newCfg.radiusMac();
545 }
546 if (newCfg.nasMac() != null) {
547 nasMacAddress = newCfg.nasMac();
548 }
549 if (newCfg.radiusSecret() != null) {
550 radiusSecret = newCfg.radiusSecret();
551 }
552 if (newCfg.radiusSwitch() != null) {
553 radiusSwitch = newCfg.radiusSwitch();
554 }
555 if (newCfg.radiusPort() != -1) {
556 radiusPort = newCfg.radiusPort();
557 }
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]558 if (newCfg.radiusServerUdpPort() != -1) {
559 radiusServerPort = newCfg.radiusServerUdpPort();
Ray Milkey5d99bd12015-10-06 15:41:30 -0700[diff] [blame]560 }
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]561 }
562
563 @Override
564 public void event(NetworkConfigEvent event) {
565
566 if ((event.type() == NetworkConfigEvent.Type.CONFIG_ADDED ||
567 event.type() == NetworkConfigEvent.Type.CONFIG_UPDATED) &&
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]568 event.configClass().equals(AaaConfig.class)) {
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]569
Jonathan Hart092dfb22015-11-16 23:05:21 -0800[diff] [blame]570 AaaConfig cfg = netCfgService.getConfig(appId, AaaConfig.class);
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]571 reconfigureNetwork(cfg);
Ray Milkeyfe4fe562016-01-05 13:14:43 -0800[diff] [blame]572 radiusSocket.close();
573 executor.shutdownNow();
574 initializeLocalState();
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]575 log.info("Reconfigured");
576 }
577 }
578 }
579
580
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]581}