\core\diagRADIUSTests

Test suite to verify that an EAP setup is actually working as advertised in the real world. Can only be used if CONFIG_DIAGNOSTICS['RADIUSTESTS'] is configured.

Its main purpose is to initialise some error messages.

Summary

Methods
Properties
Constants
__construct()
__destruct()
getAttributeValue()
createTemporaryDirectory()
rrmdir()
uuid()
randomString()
listerrors()
udpReachability()
udpLogin()
setOuterIdentity()
consolidateUdpResult()
$returnCodes
$possibleFailureReasons
$additionalFindings
$UDP_reachability_result
RETVAL_OK
RETVAL_NOTCONFIGURED
RETVAL_SKIPPED
RETVAL_INVALID
RETVAL_NO_RESPONSE
RETVAL_SERVER_UNFINISHED_COMM
RETVAL_IMMEDIATE_REJECT
RETVAL_CONVERSATION_REJECT
RETVAL_CONNECTION_REFUSED
RETVAL_INCOMPLETE_DATA
RETVAL_WRONG_PKCS12_PASSWORD
CERTPROB_ROOT_INCLUDED
CERTPROB_TOO_MANY_SERVER_CERTS
CERTPROB_NO_SERVER_CERT
CERTPROB_MD5_SIGNATURE
CERTPROB_SHA1_SIGNATURE
CERTPROB_LOW_KEY_LENGTH
CERTPROB_NO_TLS_WEBSERVER_OID
CERTPROB_NO_CDP
CERTPROB_NO_CDP_HTTP
CERTPROB_NO_CRL_AT_CDP_URL
CERTPROB_SERVER_CERT_REVOKED
CERTPROB_OUTSIDE_VALIDITY_PERIOD
CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN
CERTPROB_TRUST_ROOT_NOT_REACHED
CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES
CERTPROB_SERVER_NAME_MISMATCH
CERTPROB_SERVER_NAME_PARTIAL_MATCH
CERTPROB_NOT_A_HOSTNAME
CERTPROB_WILDCARD_IN_NAME
CERTPROB_NO_BASICCONSTRAINTS
CERTPROB_UNKNOWN_CA
CERTPROB_WRONGLY_ACCEPTED
CERTPROB_WRONGLY_NOT_ACCEPTED
CERTPROB_NOT_ACCEPTED
CERTPROB_UNABLE_TO_GET_CRL
CERTPROB_NO_COMMON_EAP_METHOD
CERTPROB_DH_GROUP_TOO_SMALL
CERTPROB_UNKNOWN_PUBLIC_KEY_ALGORITHM
CERTPROB_MULTIPLE_CN
INFRA_ETLR
INFRA_LINK_ETLR_NRO_IDP
INFRA_LINK_ETLR_NRO_SP
INFRA_NRO_SP
INFRA_NRO_IDP
INFRA_SP_RADIUS
INFRA_IDP_RADIUS
INFRA_IDP_AUTHBACKEND
INFRA_SP_80211
INFRA_SP_LAN
INFRA_DEVICE
INFRA_NONEXISTENTREALM
STATUS_GOOD
STATUS_PARTIAL
STATUS_DOWN
STATUS_MONITORINGFAIL
L_OK
L_REMARK
L_WARN
L_ERROR
RADIUS_TEST_OPERATION_MODE_SHALLOW
RADIUS_TEST_OPERATION_MODE_THOROUGH
LINEPARSE_CHECK_REJECTIGNORE
LINEPARSE_CHECK_691
LINEPARSE_EAPACK
SERVER_NO_CA_EXTENSION
SERVER_CA_SELFSIGNED
CA_INTERMEDIATE
CA_ROOT
No protected methods found
No protected properties found
N/A
No private methods found
No private properties found
N/A

Constants

RETVAL_OK

RETVAL_OK = 0

Test was executed and the result was as expected.

RETVAL_NOTCONFIGURED

RETVAL_NOTCONFIGURED = -100

Test could not be run because CAT software isn't configured for it

RETVAL_SKIPPED

RETVAL_SKIPPED = -101

Test skipped because there was nothing to be done

RETVAL_INVALID

RETVAL_INVALID = -103

test executed, and there were errors

RETVAL_NO_RESPONSE

RETVAL_NO_RESPONSE = -106

no reply at all from remote RADIUS server

RETVAL_SERVER_UNFINISHED_COMM

RETVAL_SERVER_UNFINISHED_COMM = -107

auth flow stopped somewhere in the middle of a conversation

RETVAL_IMMEDIATE_REJECT

RETVAL_IMMEDIATE_REJECT = -108

a RADIUS server did not want to talk EAP with us, but at least replied with a Reject

RETVAL_CONVERSATION_REJECT

RETVAL_CONVERSATION_REJECT = -109

a RADIUS server talked EAP with us, but didn't like us in the end

RETVAL_CONNECTION_REFUSED

RETVAL_CONNECTION_REFUSED = -110

a RADIUS server refuses connection

RETVAL_INCOMPLETE_DATA

RETVAL_INCOMPLETE_DATA = -111

not enough data provided to perform an authentication

RETVAL_WRONG_PKCS12_PASSWORD

RETVAL_WRONG_PKCS12_PASSWORD = -112

PKCS12 password does not match the certificate file

CERTPROB_ROOT_INCLUDED

CERTPROB_ROOT_INCLUDED = -200

The root CA certificate was sent by the EAP server.

CERTPROB_TOO_MANY_SERVER_CERTS

CERTPROB_TOO_MANY_SERVER_CERTS = -201

There was more than one server certificate in the EAP server's chain.

CERTPROB_NO_SERVER_CERT

CERTPROB_NO_SERVER_CERT = -202

There was no server certificate in the EAP server's chain.

CERTPROB_MD5_SIGNATURE

CERTPROB_MD5_SIGNATURE = -204

The/a server certificate was signed with an MD5 signature.

CERTPROB_SHA1_SIGNATURE

CERTPROB_SHA1_SIGNATURE = -227

The/a server certificate was signed with an MD5 signature.

CERTPROB_LOW_KEY_LENGTH

CERTPROB_LOW_KEY_LENGTH = -220

one of the keys in the cert chain was smaller than 1024 bits

CERTPROB_NO_TLS_WEBSERVER_OID

CERTPROB_NO_TLS_WEBSERVER_OID = -205

The server certificate did not contain the TLS Web Server OID, creating compat problems with many Windows versions.

CERTPROB_NO_CDP

CERTPROB_NO_CDP = -206

The server certificate did not include a CRL Distribution Point, creating compat problems with Windows Phone 8.

CERTPROB_NO_CDP_HTTP

CERTPROB_NO_CDP_HTTP = -207

The server certificate did a CRL Distribution Point, but not to a HTTP/HTTPS URL. Possible compat problems.

CERTPROB_NO_CRL_AT_CDP_URL

CERTPROB_NO_CRL_AT_CDP_URL = -208

The server certificate's CRL Distribution Point URL couldn't be accessed and/or did not contain a CRL.

CERTPROB_SERVER_CERT_REVOKED

CERTPROB_SERVER_CERT_REVOKED = -222

certificate is not currently valid (expired/not yet valid)

CERTPROB_OUTSIDE_VALIDITY_PERIOD

CERTPROB_OUTSIDE_VALIDITY_PERIOD = -221

The received server certificate is revoked.

CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN

CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN = -225

At least one certificate is outside its validity period (not yet valid, or already expired)!

CERTPROB_TRUST_ROOT_NOT_REACHED

CERTPROB_TRUST_ROOT_NOT_REACHED = -209

At least one certificate is outside its validity period, but this certificate does not take part in servder validation

CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES

CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES = -216

The received certificate chain did not carry the necessary intermediate CAs in the EAP conversation. Only the CAT Intermediate CA installation can complete the chain.

CERTPROB_SERVER_NAME_MISMATCH

CERTPROB_SERVER_NAME_MISMATCH = -210

The received server certificate's name did not match the configured name in the profile properties.

CERTPROB_SERVER_NAME_PARTIAL_MATCH

CERTPROB_SERVER_NAME_PARTIAL_MATCH = -217

The received server certificate's name did not match the configured name in the profile properties.

CERTPROB_NOT_A_HOSTNAME

CERTPROB_NOT_A_HOSTNAME = -218

One of the names in the cert was not a hostname.

CERTPROB_WILDCARD_IN_NAME

CERTPROB_WILDCARD_IN_NAME = -219

One of the names contained a wildcard character.

CERTPROB_NO_BASICCONSTRAINTS

CERTPROB_NO_BASICCONSTRAINTS = -211

The certificate does not set any BasicConstraints; particularly no CA = TRUE|FALSE

CERTPROB_UNKNOWN_CA

CERTPROB_UNKNOWN_CA = -212

The server presented a certificate which is from an unknown authority

CERTPROB_WRONGLY_ACCEPTED

CERTPROB_WRONGLY_ACCEPTED = -213

The server accepted this client certificate, but should not have

CERTPROB_WRONGLY_NOT_ACCEPTED

CERTPROB_WRONGLY_NOT_ACCEPTED = -214

The server does not accept this client certificate, but should have

CERTPROB_NOT_ACCEPTED

CERTPROB_NOT_ACCEPTED = -215

The server does accept this client certificate

CERTPROB_UNABLE_TO_GET_CRL

CERTPROB_UNABLE_TO_GET_CRL = 223

the CRL of a certificate could not be found

CERTPROB_NO_COMMON_EAP_METHOD

CERTPROB_NO_COMMON_EAP_METHOD = -224

no EAP method could be agreed on, certs could not be extraced

CERTPROB_DH_GROUP_TOO_SMALL

CERTPROB_DH_GROUP_TOO_SMALL = -228

Diffie-Hellman groups need to be 1024 bit at least, starting with OS X 10.11

CERTPROB_UNKNOWN_PUBLIC_KEY_ALGORITHM

CERTPROB_UNKNOWN_PUBLIC_KEY_ALGORITHM = -229

cert has a public key algorithm which is rather unusual

CERTPROB_MULTIPLE_CN

CERTPROB_MULTIPLE_CN = -226

There is more than one CN in the certificate

INFRA_ETLR

INFRA_ETLR = INFRA_ETLR

INFRA_NRO_SP

INFRA_NRO_SP = INFRA_NRO_SP

INFRA_NRO_IDP

INFRA_NRO_IDP = INFRA_NRO_IdP

INFRA_SP_RADIUS

INFRA_SP_RADIUS = INFRA_SP_RADIUS

INFRA_IDP_RADIUS

INFRA_IDP_RADIUS = INFRA_IdP_RADIUS

INFRA_IDP_AUTHBACKEND

INFRA_IDP_AUTHBACKEND = INFRA_IDP_AUTHBACKEND

INFRA_SP_80211

INFRA_SP_80211 = INFRA_SP_80211

INFRA_SP_LAN

INFRA_SP_LAN = INFRA_SP_LAN

INFRA_DEVICE

INFRA_DEVICE = INFRA_DEVICE

INFRA_NONEXISTENTREALM

INFRA_NONEXISTENTREALM = INFRA_NONEXISTENTREALM

STATUS_GOOD

STATUS_GOOD = 0

STATUS_PARTIAL

STATUS_PARTIAL = -1

STATUS_DOWN

STATUS_DOWN = -2

STATUS_MONITORINGFAIL

STATUS_MONITORINGFAIL = -3

L_OK

L_OK = 0

L_REMARK

L_REMARK = 4

L_WARN

L_WARN = 32

L_ERROR

L_ERROR = 256

RADIUS_TEST_OPERATION_MODE_SHALLOW

RADIUS_TEST_OPERATION_MODE_SHALLOW = 1

RADIUS_TEST_OPERATION_MODE_THOROUGH

RADIUS_TEST_OPERATION_MODE_THOROUGH = 2

LINEPARSE_CHECK_REJECTIGNORE

LINEPARSE_CHECK_REJECTIGNORE = 1

LINEPARSE_CHECK_691

LINEPARSE_CHECK_691 = 2

LINEPARSE_EAPACK

LINEPARSE_EAPACK = 3

SERVER_NO_CA_EXTENSION

SERVER_NO_CA_EXTENSION = 1

SERVER_CA_SELFSIGNED

SERVER_CA_SELFSIGNED = 2

CA_INTERMEDIATE

CA_INTERMEDIATE = 3

CA_ROOT

CA_ROOT = 4

Properties

$returnCodes

$returnCodes : mixed|string|int

generic return codes

Type

mixed|string|int —

$possibleFailureReasons

$possibleFailureReasons : 

Type

$additionalFindings

$additionalFindings : 

Type

$UDP_reachability_result

$UDP_reachability_result : 

Type

Methods

__construct()

__construct(  realm,   outerUsernameForChecks, mixed|string|int  supportedEapTypes = [], mixed|string|int  expectedServerNames = [], mixed|string|int  expectedCABundle = []) : 

Constructor for the EAPTests class. The single mandatory parameter is the realm for which the tests are to be carried out.

Logs the start of lifetime of the entity to the debug log on levels 3 and higher.

Parameters

realm
outerUsernameForChecks
mixed|string|int supportedEapTypes

(array of integer representations of EAP types)

mixed|string|int expectedServerNames

(array of strings)

mixed|string|int expectedCABundle

(array of PEM blocks)

Returns

__destruct()

__destruct() : 

destroys the entity.

Logs the end of lifetime of the entity to the debug log on level 5.

Returns

getAttributeValue()

getAttributeValue(mixed|string|int  attributeArray, string|int  index1, string|int  index2) : 

This is a helper fuction to retrieve a value from two-dimensional arrays The function tests if the value for the first indes is defined and then the same with the second and finally returns the value if something on the way is not defined, NULL is returned

Parameters

mixed|string|int attributeArray
string|int index1
string|int index2

Returns

createTemporaryDirectory()

createTemporaryDirectory(  purpose = installer,   failIsFatal = 1) : mixed|string|int

create a temporary directory and return the location

Parameters

purpose

one of 'installer', 'logo', 'test' defined the purpose of the directory

failIsFatal

decides if a creation failure should cause an error; defaults to true

Returns

mixed|string|int —

the tuple of: base path, absolute path for directory, directory name

rrmdir()

rrmdir(  dir) : 

this direcory delete function has been copied from PHP documentation

Parameters

dir

name of the directory to delete

Returns

uuid()

uuid(  prefix,  deterministicSource = NULL) : 

generates a UUID, for the devices which identify file contents by UUID

Parameters

prefix

an extra prefix to set before the UUID

deterministicSource

Returns

UUID (possibly prefixed)

randomString()

randomString(  length,   keyspace = 23456789abcdefghijkmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ) : 

produces a random string

Parameters

length

the length of the string to produce

keyspace

the pool of characters to use for producing the string

Throws

\Exception

Returns

listerrors()

listerrors() : mixed|string|int

This function returns an array of errors which were encountered in all the tests.

Returns

mixed|string|int —

all the errors

udpReachability()

udpReachability(  probeindex,   opnameCheck = TRUE,   frag = TRUE) : 

This function performs actual authentication checks with MADE-UP credentials.

Its purpose is to check if a RADIUS server is reachable and speaks EAP. The function fills array RADIUSTests::UDP_reachability_result[$probeindex] with all check detail in case more than the return code is needed/wanted by the caller

Parameters

probeindex

refers to the specific UDP-host in the config that should be checked

opnameCheck

should we check choking on Operator-Name?

frag

should we cause UDP fragmentation? (Warning: makes use of Operator-Name!)

Returns

returncode

udpLogin()

udpLogin(  probeindex, mixed|string|int  eaptype,   innerUser,   password,   opnameCheck = TRUE,   frag = TRUE,   clientcertdata = NULL) : 

The big Guy. This performs an actual login with EAP and records how far it got and what oddities were observed along the way

Parameters

probeindex

the probe we are connecting to (as set in product config)

mixed|string|int eaptype

EAP type to use for connection

innerUser

inner username to try

password

password to try

opnameCheck

whether or not we check with Operator-Name set

frag

whether or not we check with an oversized packet forcing fragmentation

clientcertdata

client certificate credential to try

Throws

\Exception

Returns

overall return code of the login test

setOuterIdentity()

setOuterIdentity( id) : 

Parameters

id

Returns

consolidateUdpResult()

consolidateUdpResult( host) : 

Parameters

host

Returns