Gitiles
Code Review Sign In
gerrit.opencord.org / aaa / 967776aaf0cf6b15ef70e6e88b3be3d407529f2e / . / src / main / java / org / onosproject / aaa / AAA.java
blob: caa98004e08d14c693913ba904f495eee7ddc572 [file] [log] [blame]
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]1/*
2 * Copyright 2015 AT&T Foundry
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16package org.onosproject.aaa;
17
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]18import java.io.IOException;
19import java.net.DatagramPacket;
20import java.net.DatagramSocket;
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]21import java.net.InetAddress;
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]22import java.nio.ByteBuffer;
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]23import java.util.concurrent.ExecutorService;
24import java.util.concurrent.Executors;
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]25
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]26import org.apache.felix.scr.annotations.Activate;
27import org.apache.felix.scr.annotations.Component;
28import org.apache.felix.scr.annotations.Deactivate;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]29import org.apache.felix.scr.annotations.Reference;
30import org.apache.felix.scr.annotations.ReferenceCardinality;
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]31import org.onlab.packet.DeserializationException;
32import org.onlab.packet.EAP;
33import org.onlab.packet.EAPOL;
34import org.onlab.packet.EthType;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]35import org.onlab.packet.Ethernet;
36import org.onlab.packet.IPv4;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]37import org.onlab.packet.MacAddress;
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]38import org.onlab.packet.RADIUS;
39import org.onlab.packet.RADIUSAttribute;
Hyunsun Moona0d63712015-08-22 21:04:23 -0700[diff] [blame]40import org.onlab.packet.TpPort;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]41import org.onosproject.core.ApplicationId;
42import org.onosproject.core.CoreService;
43import org.onosproject.net.ConnectPoint;
44import org.onosproject.net.DeviceId;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]45import org.onosproject.net.PortNumber;
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]46import org.onosproject.net.config.ConfigFactory;
47import org.onosproject.net.config.NetworkConfigEvent;
48import org.onosproject.net.config.NetworkConfigListener;
49import org.onosproject.net.config.NetworkConfigRegistry;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]50import org.onosproject.net.flow.DefaultTrafficSelector;
51import org.onosproject.net.flow.DefaultTrafficTreatment;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]52import org.onosproject.net.flow.TrafficSelector;
53import org.onosproject.net.flow.TrafficTreatment;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]54import org.onosproject.net.packet.DefaultOutboundPacket;
55import org.onosproject.net.packet.InboundPacket;
56import org.onosproject.net.packet.OutboundPacket;
57import org.onosproject.net.packet.PacketContext;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]58import org.onosproject.net.packet.PacketProcessor;
59import org.onosproject.net.packet.PacketService;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]60import org.onosproject.xosintegration.VoltTenantService;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]61import org.slf4j.Logger;
62
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]63import com.google.common.util.concurrent.ThreadFactoryBuilder;
64
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]65import static org.onosproject.net.config.basics.SubjectFactories.APP_SUBJECT_FACTORY;
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]66import static org.onosproject.net.packet.PacketPriority.CONTROL;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]67import static org.slf4j.LoggerFactory.getLogger;
68
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]69/**
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]70 * AAA application for ONOS.
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]71 */
72@Component(immediate = true)
73public class AAA {
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]74
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]75 // for verbose output
76 private final Logger log = getLogger(getClass());
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]77
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]78 // a list of our dependencies :
79 // to register with ONOS as an application - described next
80 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
81 protected CoreService coreService;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]82
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]83 // to receive Packet-in events that we'll respond to
84 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
85 protected PacketService packetService;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]86
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]87 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
88 protected VoltTenantService voltTenantService;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]89
90 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]91 protected NetworkConfigRegistry netCfgService;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]92
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]93 // Parsed RADIUS server addresses
94 protected InetAddress radiusIpAddress;
95 protected String radiusMacAddress;
96
97 // NAS IP address
98 protected InetAddress nasIpAddress;
99 protected String nasMacAddress;
100
101 // RADIUS server secret
102 protected String radiusSecret;
103
104 // ID of RADIUS switch
105 protected String radiusSwitch;
106
107 // RADIUS port number
108 protected long radiusPort;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]109
Ray Milkey5d99bd12015-10-06 15:41:30 -0700[diff] [blame]110 // RADIUS server TCP port number
111 protected short radiusServerPort;
112
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]113 // our application-specific event handler
114 private ReactivePacketProcessor processor = new ReactivePacketProcessor();
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]115
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]116 // our unique identifier
117 private ApplicationId appId;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]118
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]119 // Socket used for UDP communications with RADIUS server
120 private DatagramSocket radiusSocket;
121
122 // Executor for RADIUS communication thread
123 private ExecutorService executor;
124
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]125 // Configuration properties factory
126 private final ConfigFactory factory =
127 new ConfigFactory<ApplicationId, AAAConfig>(APP_SUBJECT_FACTORY,
128 AAAConfig.class,
129 "AAA") {
130 @Override
131 public AAAConfig createConfig() {
132 return new AAAConfig();
133 }
134 };
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]135
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]136 // Listener for config changes
137 private final InternalConfigListener cfgListener = new InternalConfigListener();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]138
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]139 /**
140 * Builds an EAPOL packet based on the given parameters.
141 *
142 * @param dstMac destination MAC address
143 * @param srcMac source MAC address
144 * @param vlan vlan identifier
145 * @param eapolType EAPOL type
146 * @param eap EAP payload
147 * @return Ethernet frame
148 */
149 private static Ethernet buildEapolResponse(MacAddress dstMac, MacAddress srcMac,
150 short vlan, byte eapolType, EAP eap) {
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]151
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]152 Ethernet eth = new Ethernet();
153 eth.setDestinationMACAddress(dstMac.toBytes());
154 eth.setSourceMACAddress(srcMac.toBytes());
155 eth.setEtherType(EthType.EtherType.EAPOL.ethType().toShort());
156 if (vlan != Ethernet.VLAN_UNTAGGED) {
157 eth.setVlanID(vlan);
158 }
159 //eapol header
160 EAPOL eapol = new EAPOL();
161 eapol.setEapolType(eapolType);
162 eapol.setPacketLength(eap.getLength());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]163
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]164 //eap part
165 eapol.setPayload(eap);
166
167 eth.setPayload(eapol);
168 eth.setPad(true);
169 return eth;
170 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]171
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]172 @Activate
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]173 public void activate() {
174 netCfgService.addListener(cfgListener);
175 netCfgService.registerConfigFactory(factory);
176
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]177 // "org.onosproject.aaa" is the FQDN of our app
178 appId = coreService.registerApplication("org.onosproject.aaa");
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]179
180 cfgListener.reconfigureNetwork(netCfgService.getConfig(appId, AAAConfig.class));
181
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]182 // register our event handler
Brian O'Connord9c7da02015-07-29 17:49:24 -0700[diff] [blame]183 packetService.addProcessor(processor, PacketProcessor.director(2));
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]184 requestIntercepts();
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]185
186 StateMachine.initializeMaps();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]187
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]188 try {
189 radiusSocket = new DatagramSocket(radiusServerPort);
190 } catch (Exception ex) {
191 log.error("Can't open RADIUS socket", ex);
192 }
193
194 executor = Executors.newSingleThreadExecutor(
195 new ThreadFactoryBuilder()
196 .setNameFormat("AAA-radius-%d").build());
197 executor.execute(radiusListener);
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]198 }
199
200 @Deactivate
201 public void deactivate() {
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]202 appId = coreService.registerApplication("org.onosproject.aaa");
203 withdrawIntercepts();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]204 // de-register and null our handler
205 packetService.removeProcessor(processor);
206 processor = null;
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]207 StateMachine.destroyMaps();
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]208 radiusSocket.close();
209 executor.shutdownNow();
210 }
211
212 protected void sendRADIUSPacket(RADIUS radiusPacket) {
213
214 try {
215 final byte[] data = radiusPacket.serialize();
216 final DatagramSocket socket = radiusSocket;
217
218 DatagramPacket packet =
219 new DatagramPacket(data, data.length,
220 radiusIpAddress, radiusServerPort);
221
222 socket.send(packet);
223 } catch (IOException e) {
224 log.info("Cannot send packet to RADIUS server", e);
225 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]226 }
227
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]228 /**
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]229 * Request packet in via PacketService.
230 */
231 private void requestIntercepts() {
232 TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
233 selector.matchEthType(EthType.EtherType.EAPOL.ethType().toShort());
234 packetService.requestPackets(selector.build(),
235 CONTROL, appId);
Jonathan Hartfeb41762015-07-15 15:10:28 -0700[diff] [blame]236
237 TrafficSelector radSelector = DefaultTrafficSelector.builder()
238 .matchEthType(EthType.EtherType.IPV4.ethType().toShort())
239 .matchIPProtocol(IPv4.PROTOCOL_UDP)
Ray Milkey5d99bd12015-10-06 15:41:30 -0700[diff] [blame]240 .matchUdpDst(TpPort.tpPort(radiusServerPort))
241 .matchUdpSrc(TpPort.tpPort(radiusServerPort))
Jonathan Hartfeb41762015-07-15 15:10:28 -0700[diff] [blame]242 .build();
243 packetService.requestPackets(radSelector, CONTROL, appId);
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]244 }
245
246 /**
247 * Cancel request for packet in via PacketService.
248 */
249 private void withdrawIntercepts() {
250 TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
251 selector.matchEthType(EthType.EtherType.EAPOL.ethType().toShort());
252 packetService.cancelPackets(selector.build(), CONTROL, appId);
Jonathan Hartfeb41762015-07-15 15:10:28 -0700[diff] [blame]253
254 TrafficSelector radSelector = DefaultTrafficSelector.builder()
255 .matchEthType(EthType.EtherType.IPV4.ethType().toShort())
256 .matchIPProtocol(IPv4.PROTOCOL_UDP)
Ray Milkey5d99bd12015-10-06 15:41:30 -0700[diff] [blame]257 .matchUdpDst(TpPort.tpPort(radiusServerPort))
258 .matchUdpSrc(TpPort.tpPort(radiusServerPort))
Jonathan Hartfeb41762015-07-15 15:10:28 -0700[diff] [blame]259 .build();
260 packetService.cancelPackets(radSelector, CONTROL, appId);
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]261 }
262
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]263 /**
264 * Send the ethernet packet to the supplicant.
265 *
266 * @param ethernetPkt the ethernet packet
267 * @param connectPoint the connect point to send out
268 */
269 private void sendPacketToSupplicant(Ethernet ethernetPkt, ConnectPoint connectPoint) {
270 TrafficTreatment treatment = DefaultTrafficTreatment.builder().setOutput(connectPoint.port()).build();
271 OutboundPacket packet = new DefaultOutboundPacket(connectPoint.deviceId(),
272 treatment, ByteBuffer.wrap(ethernetPkt.serialize()));
273 packetService.emit(packet);
274 }
275
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]276 // our handler defined as a private inner class
277
278 /**
279 * Packet processor responsible for forwarding packets along their paths.
280 */
281 private class ReactivePacketProcessor implements PacketProcessor {
282 @Override
283 public void process(PacketContext context) {
284
285 // Extract the original Ethernet frame from the packet information
286 InboundPacket pkt = context.inPacket();
287 Ethernet ethPkt = pkt.parsed();
288 if (ethPkt == null) {
289 return;
290 }
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]291 try {
292 // identify if incoming packet comes from supplicant (EAP) or RADIUS
293 switch (EthType.EtherType.lookup(ethPkt.getEtherType())) {
294 case EAPOL:
295 handleSupplicantPacket(context.inPacket());
296 break;
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]297 default:
298 log.trace("Skipping Ethernet packet type {}",
299 EthType.EtherType.lookup(ethPkt.getEtherType()));
300 }
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]301 } catch (StateMachineException e) {
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]302 log.warn("Unable to process RADIUS packet:", e);
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]303 }
304 }
305
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]306 /**
307 * Creates and initializes common fields of a RADIUS packet.
308 *
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]309 * @param stateMachine state machine for the request
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]310 * @param eapPacket EAP packet
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]311 * @return RADIUS packet
312 */
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]313 private RADIUS getRadiusPayload(StateMachine stateMachine, byte identifier, EAP eapPacket) {
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]314 RADIUS radiusPayload =
315 new RADIUS(RADIUS.RADIUS_CODE_ACCESS_REQUEST,
316 eapPacket.getIdentifier());
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]317
318 // set Request Authenticator in StateMachine
319 stateMachine.setRequestAuthenticator(radiusPayload.generateAuthCode());
320
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]321 radiusPayload.setIdentifier(identifier);
322 radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME,
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]323 stateMachine.username());
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]324
325 radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP,
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]326 AAA.this.nasIpAddress.getAddress());
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]327
328 radiusPayload.encapsulateMessage(eapPacket);
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]329
330 return radiusPayload;
331 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]332
333 /**
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]334 * Handles PAE packets (supplicant).
335 *
336 * @param inPacket Ethernet packet coming from the supplicant
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]337 */
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]338 private void handleSupplicantPacket(InboundPacket inPacket) throws StateMachineException {
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]339 Ethernet ethPkt = inPacket.parsed();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]340 // Where does it come from?
341 MacAddress srcMAC = ethPkt.getSourceMAC();
342
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]343 DeviceId deviceId = inPacket.receivedFrom().deviceId();
344 PortNumber portNumber = inPacket.receivedFrom().port();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]345 String sessionId = deviceId.toString() + portNumber.toString();
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]346 StateMachine stateMachine = StateMachine.lookupStateMachineBySessionId(sessionId);
347 if (stateMachine == null) {
348 stateMachine = new StateMachine(sessionId, voltTenantService);
349 }
350
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]351
352 EAPOL eapol = (EAPOL) ethPkt.getPayload();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]353
354 switch (eapol.getEapolType()) {
355 case EAPOL.EAPOL_START:
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]356 stateMachine.start();
357 stateMachine.setSupplicantConnectpoint(inPacket.receivedFrom());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]358
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]359 //send an EAP Request/Identify to the supplicant
360 EAP eapPayload = new EAP(EAP.REQUEST, stateMachine.identifier(), EAP.ATTR_IDENTITY, null);
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]361 Ethernet eth = buildEapolResponse(srcMAC, MacAddress.valueOf(nasMacAddress),
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]362 ethPkt.getVlanID(), EAPOL.EAPOL_PACKET,
363 eapPayload);
364 stateMachine.setSupplicantAddress(srcMAC);
365 stateMachine.setVlanId(ethPkt.getVlanID());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]366
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]367 sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]368
369 break;
370 case EAPOL.EAPOL_PACKET:
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]371 RADIUS radiusPayload;
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]372 // check if this is a Response/Identify or a Response/TLS
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]373 EAP eapPacket = (EAP) eapol.getPayload();
374
375 byte dataType = eapPacket.getDataType();
376 switch (dataType) {
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]377
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]378 case EAP.ATTR_IDENTITY:
379 // request id access to RADIUS
380 stateMachine.setUsername(eapPacket.getData());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]381
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]382 radiusPayload = getRadiusPayload(stateMachine, stateMachine.identifier(), eapPacket);
383 radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret);
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]384
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]385 sendRADIUSPacket(radiusPayload);
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]386
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]387 // change the state to "PENDING"
388 stateMachine.requestAccess();
389 break;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]390 case EAP.ATTR_MD5:
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]391 // verify if the EAP identifier corresponds to the
392 // challenge identifier from the client state
393 // machine.
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]394 if (eapPacket.getIdentifier() == stateMachine.challengeIdentifier()) {
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]395 //send the RADIUS challenge response
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]396 radiusPayload =
397 getRadiusPayload(stateMachine,
398 stateMachine.identifier(),
399 eapPacket);
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]400
401 radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE,
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]402 stateMachine.challengeState());
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]403 radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret);
404 sendRADIUSPacket(radiusPayload);
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]405 }
406 break;
407 case EAP.ATTR_TLS:
Ray Milkey9eb293f2015-09-30 15:09:17 -0700[diff] [blame]408 // request id access to RADIUS
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]409 radiusPayload = getRadiusPayload(stateMachine, stateMachine.identifier(), eapPacket);
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]410
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]411 radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE,
412 stateMachine.challengeState());
413 stateMachine.setRequestAuthenticator(radiusPayload.generateAuthCode());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]414
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]415 sendRADIUSPacket(radiusPayload);
416 radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret);
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]417 // TODO: this gets called on every fragment, should only be called at TLS-Start
418 stateMachine.requestAccess();
419
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]420 break;
421 default:
422 return;
423 }
424 break;
425 default:
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]426 log.trace("Skipping EAPOL message {}", eapol.getEapolType());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]427 }
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]428
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]429 }
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]430 }
431
432 class RadiusListener implements Runnable {
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]433
434 /**
Jonathan Harta46dddf2015-06-30 15:31:20 -0700[diff] [blame]435 * Handles RADIUS packets.
436 *
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]437 * @param radiusPacket RADIUS packet coming from the RADIUS server.
438 */
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]439 protected void handleRadiusPacket(RADIUS radiusPacket) throws StateMachineException {
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]440 StateMachine stateMachine = StateMachine.lookupStateMachineById(radiusPacket.getIdentifier());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]441 if (stateMachine == null) {
442 log.error("Invalid session identifier, exiting...");
443 return;
444 }
445
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]446 EAP eapPayload;
447 Ethernet eth;
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]448 switch (radiusPacket.getCode()) {
449 case RADIUS.RADIUS_CODE_ACCESS_CHALLENGE:
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]450 byte[] challengeState =
451 radiusPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_STATE).getValue();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]452 eapPayload = radiusPacket.decapsulateMessage();
453 stateMachine.setChallengeInfo(eapPayload.getIdentifier(), challengeState);
Ray Milkeyf61a24e2015-09-24 16:34:02 -0700[diff] [blame]454 eth = buildEapolResponse(stateMachine.supplicantAddress(),
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]455 MacAddress.valueOf(nasMacAddress),
456 stateMachine.vlanId(),
457 EAPOL.EAPOL_PACKET,
Aaron Kruglikovd39d99e2015-07-03 13:30:57 -0700[diff] [blame]458 eapPayload);
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]459 sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]460 break;
461 case RADIUS.RADIUS_CODE_ACCESS_ACCEPT:
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]462 //send an EAPOL - Success to the supplicant.
463 byte[] eapMessage =
464 radiusPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE).getValue();
465 eapPayload = new EAP();
466 eapPayload = (EAP) eapPayload.deserialize(eapMessage, 0, eapMessage.length);
467 eth = buildEapolResponse(stateMachine.supplicantAddress(),
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]468 MacAddress.valueOf(nasMacAddress),
469 stateMachine.vlanId(),
470 EAPOL.EAPOL_PACKET,
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]471 eapPayload);
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]472 sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint());
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]473
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]474 stateMachine.authorizeAccess();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]475 break;
476 case RADIUS.RADIUS_CODE_ACCESS_REJECT:
Ray Milkeyf51eba22015-09-25 10:24:23 -0700[diff] [blame]477 stateMachine.denyAccess();
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]478 break;
479 default:
480 log.warn("Unknown RADIUS message received with code: {}", radiusPacket.getCode());
481 }
482 }
483
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]484
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]485 @Override
486 public void run() {
487 boolean done = false;
488 int packetNumber = 1;
489
490 log.info("UDP listener thread starting up");
491 RADIUS inboundRadiusPacket;
492 while (!done) {
493 try {
494 DatagramPacket inboundBasePacket = new DatagramPacket(new byte[1000], 1000);
495 DatagramSocket socket = radiusSocket;
496 socket.receive(inboundBasePacket);
497 log.info("Packet #{} received", packetNumber++);
498 try {
499 inboundRadiusPacket =
500 RADIUS.deserializer()
501 .deserialize(inboundBasePacket.getData(),
502 0,
503 inboundBasePacket.getLength());
504 handleRadiusPacket(inboundRadiusPacket);
505 } catch (DeserializationException dex) {
506 log.error("Cannot deserialize packet", dex);
507 } catch (StateMachineException sme) {
508 log.error("Illegal state machine operation", sme);
509 }
510
511 } catch (IOException e) {
512 log.info("Socket was closed, exiting listener thread");
513 done = true;
514 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]515 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]516 }
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]517 }
518
Ray Milkey967776a2015-10-07 14:37:17 -0700[diff] [blame^]519 RadiusListener radiusListener = new RadiusListener();
520
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]521 private class InternalConfigListener implements NetworkConfigListener {
522
523 /**
524 * Reconfigures the DHCP Server according to the configuration parameters passed.
525 *
526 * @param cfg configuration object
527 */
528 private void reconfigureNetwork(AAAConfig cfg) {
529 AAAConfig newCfg;
530 if (cfg == null) {
531 newCfg = new AAAConfig();
532 } else {
533 newCfg = cfg;
534 }
535 if (newCfg.nasIp() != null) {
536 nasIpAddress = newCfg.nasIp();
537 }
538 if (newCfg.radiusIp() != null) {
539 radiusIpAddress = newCfg.radiusIp();
540 }
541 if (newCfg.radiusMac() != null) {
542 radiusMacAddress = newCfg.radiusMac();
543 }
544 if (newCfg.nasMac() != null) {
545 nasMacAddress = newCfg.nasMac();
546 }
547 if (newCfg.radiusSecret() != null) {
548 radiusSecret = newCfg.radiusSecret();
549 }
550 if (newCfg.radiusSwitch() != null) {
551 radiusSwitch = newCfg.radiusSwitch();
552 }
553 if (newCfg.radiusPort() != -1) {
554 radiusPort = newCfg.radiusPort();
555 }
Ray Milkey5d99bd12015-10-06 15:41:30 -0700[diff] [blame]556 if (newCfg.radiusServerUDPPort() != -1) {
557 radiusServerPort = newCfg.radiusServerUDPPort();
558 }
Ray Milkeyfcb623d2015-10-01 16:48:18 -0700[diff] [blame]559 }
560
561 @Override
562 public void event(NetworkConfigEvent event) {
563
564 if ((event.type() == NetworkConfigEvent.Type.CONFIG_ADDED ||
565 event.type() == NetworkConfigEvent.Type.CONFIG_UPDATED) &&
566 event.configClass().equals(AAAConfig.class)) {
567
568 AAAConfig cfg = netCfgService.getConfig(appId, AAAConfig.class);
569 reconfigureNetwork(cfg);
570 log.info("Reconfigured");
571 }
572 }
573 }
574
575
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]576}