\core\diagRADIUSTests

Test suite to verify that an EAP setup is actually working as advertised in the real world. Can only be used if CONFIG_DIAGNOSTICS['RADIUSTESTS'] is configured.

Its main purpose is to initialise some error messages.

Summary

Methods
Properties
Constants
__construct()
__destruct()
createTemporaryDirectory()
rrmdir()
listerrors()
udpReachability()
udpLogin()
consolidateUdpResult()
$returnCodes
$possibleFailureReasons
$additionalFindings
$UDP_reachability_result
RETVAL_OK
RETVAL_NOTCONFIGURED
RETVAL_SKIPPED
RETVAL_INVALID
RETVAL_NO_RESPONSE
RETVAL_SERVER_UNFINISHED_COMM
RETVAL_IMMEDIATE_REJECT
RETVAL_CONVERSATION_REJECT
RETVAL_CONNECTION_REFUSED
RETVAL_INCOMPLETE_DATA
RETVAL_WRONG_PKCS12_PASSWORD
CERTPROB_ROOT_INCLUDED
CERTPROB_TOO_MANY_SERVER_CERTS
CERTPROB_NO_SERVER_CERT
CERTPROB_MD5_SIGNATURE
CERTPROB_SHA1_SIGNATURE
CERTPROB_LOW_KEY_LENGTH
CERTPROB_NO_TLS_WEBSERVER_OID
CERTPROB_NO_CDP
CERTPROB_NO_CDP_HTTP
CERTPROB_NO_CRL_AT_CDP_URL
CERTPROB_SERVER_CERT_REVOKED
CERTPROB_OUTSIDE_VALIDITY_PERIOD
CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN
CERTPROB_TRUST_ROOT_NOT_REACHED
CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES
CERTPROB_SERVER_NAME_MISMATCH
CERTPROB_SERVER_NAME_PARTIAL_MATCH
CERTPROB_NOT_A_HOSTNAME
CERTPROB_WILDCARD_IN_NAME
CERTPROB_NO_BASICCONSTRAINTS
CERTPROB_UNKNOWN_CA
CERTPROB_WRONGLY_ACCEPTED
CERTPROB_WRONGLY_NOT_ACCEPTED
CERTPROB_NOT_ACCEPTED
CERTPROB_UNABLE_TO_GET_CRL
CERTPROB_NO_COMMON_EAP_METHOD
CERTPROB_DH_GROUP_TOO_SMALL
CERTPROB_MULTIPLE_CN
INFRA_ETLR
INFRA_LINK_ETLR_NRO_IDP
INFRA_LINK_ETLR_NRO_SP
INFRA_NRO_SP
INFRA_NRO_IDP
INFRA_SP_RADIUS
INFRA_IDP_RADIUS
INFRA_IDP_AUTHBACKEND
INFRA_SP_80211
INFRA_SP_LAN
INFRA_DEVICE
INFRA_NONEXISTENTREALM
STATUS_GOOD
STATUS_PARTIAL
STATUS_DOWN
STATUS_MONITORINGFAIL
L_OK
L_REMARK
L_WARN
L_ERROR
RADIUS_TEST_OPERATION_MODE_SHALLOW
RADIUS_TEST_OPERATION_MODE_THOROUGH
LINEPARSE_CHECK_REJECTIGNORE
LINEPARSE_CHECK_691
LINEPARSE_EAPACK
normaliseResultSet()
$loggerInstance
$languageInstance
N/A
printDN()
printTm()
propertyCheckServercert()
propertyCheckIntermediate()
addCrltoCert()
redact()
filterPackettype()
checkLineparse()
wpaSupplicantConfig()
packetCountEvaluation()
eapolTestConfig()
thoroughChainChecks()
thoroughNameChecks()
executeEapolTest()
$UDP_reachability_executed
$errorlist
$realm
$outerUsernameForChecks
$expectedCABundle
$expectedServerNames
$supportedEapTypes
$opMode
N/A

Constants

RETVAL_OK

RETVAL_OK = 0

Test was executed and the result was as expected.

RETVAL_NOTCONFIGURED

RETVAL_NOTCONFIGURED = -100

Test could not be run because CAT software isn't configured for it

RETVAL_SKIPPED

RETVAL_SKIPPED = -101

Test skipped because there was nothing to be done

RETVAL_INVALID

RETVAL_INVALID = -103

test executed, and there were errors

RETVAL_NO_RESPONSE

RETVAL_NO_RESPONSE = -106

no reply at all from remote RADIUS server

RETVAL_SERVER_UNFINISHED_COMM

RETVAL_SERVER_UNFINISHED_COMM = -107

auth flow stopped somewhere in the middle of a conversation

RETVAL_IMMEDIATE_REJECT

RETVAL_IMMEDIATE_REJECT = -108

a RADIUS server did not want to talk EAP with us, but at least replied with a Reject

RETVAL_CONVERSATION_REJECT

RETVAL_CONVERSATION_REJECT = -109

a RADIUS server talked EAP with us, but didn't like us in the end

RETVAL_CONNECTION_REFUSED

RETVAL_CONNECTION_REFUSED = -110

a RADIUS server refuses connection

RETVAL_INCOMPLETE_DATA

RETVAL_INCOMPLETE_DATA = -111

not enough data provided to perform an authentication

RETVAL_WRONG_PKCS12_PASSWORD

RETVAL_WRONG_PKCS12_PASSWORD = -112

PKCS12 password does not match the certificate file

CERTPROB_ROOT_INCLUDED

CERTPROB_ROOT_INCLUDED = -200

The root CA certificate was sent by the EAP server.

CERTPROB_TOO_MANY_SERVER_CERTS

CERTPROB_TOO_MANY_SERVER_CERTS = -201

There was more than one server certificate in the EAP server's chain.

CERTPROB_NO_SERVER_CERT

CERTPROB_NO_SERVER_CERT = -202

There was no server certificate in the EAP server's chain.

CERTPROB_MD5_SIGNATURE

CERTPROB_MD5_SIGNATURE = -204

The/a server certificate was signed with an MD5 signature.

CERTPROB_SHA1_SIGNATURE

CERTPROB_SHA1_SIGNATURE = -227

The/a server certificate was signed with an MD5 signature.

CERTPROB_LOW_KEY_LENGTH

CERTPROB_LOW_KEY_LENGTH = -220

one of the keys in the cert chain was smaller than 1024 bits

CERTPROB_NO_TLS_WEBSERVER_OID

CERTPROB_NO_TLS_WEBSERVER_OID = -205

The server certificate did not contain the TLS Web Server OID, creating compat problems with many Windows versions.

CERTPROB_NO_CDP

CERTPROB_NO_CDP = -206

The server certificate did not include a CRL Distribution Point, creating compat problems with Windows Phone 8.

CERTPROB_NO_CDP_HTTP

CERTPROB_NO_CDP_HTTP = -207

The server certificate did a CRL Distribution Point, but not to a HTTP/HTTPS URL. Possible compat problems.

CERTPROB_NO_CRL_AT_CDP_URL

CERTPROB_NO_CRL_AT_CDP_URL = -208

The server certificate's CRL Distribution Point URL couldn't be accessed and/or did not contain a CRL.

CERTPROB_SERVER_CERT_REVOKED

CERTPROB_SERVER_CERT_REVOKED = -222

certificate is not currently valid (expired/not yet valid)

CERTPROB_OUTSIDE_VALIDITY_PERIOD

CERTPROB_OUTSIDE_VALIDITY_PERIOD = -221

The received server certificate is revoked.

CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN

CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN = -225

At least one certificate is outside its validity period (not yet valid, or already expired)!

CERTPROB_TRUST_ROOT_NOT_REACHED

CERTPROB_TRUST_ROOT_NOT_REACHED = -209

At least one certificate is outside its validity period, but this certificate does not take part in servder validation

CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES

CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES = -216

The received certificate chain did not carry the necessary intermediate CAs in the EAP conversation. Only the CAT Intermediate CA installation can complete the chain.

CERTPROB_SERVER_NAME_MISMATCH

CERTPROB_SERVER_NAME_MISMATCH = -210

The received server certificate's name did not match the configured name in the profile properties.

CERTPROB_SERVER_NAME_PARTIAL_MATCH

CERTPROB_SERVER_NAME_PARTIAL_MATCH = -217

The received server certificate's name did not match the configured name in the profile properties.

CERTPROB_NOT_A_HOSTNAME

CERTPROB_NOT_A_HOSTNAME = -218

One of the names in the cert was not a hostname.

CERTPROB_WILDCARD_IN_NAME

CERTPROB_WILDCARD_IN_NAME = -219

One of the names contained a wildcard character.

CERTPROB_NO_BASICCONSTRAINTS

CERTPROB_NO_BASICCONSTRAINTS = -211

The certificate does not set any BasicConstraints; particularly no CA = TRUE|FALSE

CERTPROB_UNKNOWN_CA

CERTPROB_UNKNOWN_CA = -212

The server presented a certificate which is from an unknown authority

CERTPROB_WRONGLY_ACCEPTED

CERTPROB_WRONGLY_ACCEPTED = -213

The server accepted this client certificate, but should not have

CERTPROB_WRONGLY_NOT_ACCEPTED

CERTPROB_WRONGLY_NOT_ACCEPTED = -214

The server does not accept this client certificate, but should have

CERTPROB_NOT_ACCEPTED

CERTPROB_NOT_ACCEPTED = -215

The server does accept this client certificate

CERTPROB_UNABLE_TO_GET_CRL

CERTPROB_UNABLE_TO_GET_CRL = 223

the CRL of a certificate could not be found

CERTPROB_NO_COMMON_EAP_METHOD

CERTPROB_NO_COMMON_EAP_METHOD = -224

no EAP method could be agreed on, certs could not be extraced

CERTPROB_DH_GROUP_TOO_SMALL

CERTPROB_DH_GROUP_TOO_SMALL = -225

Diffie-Hellman groups need to be 1024 bit at least, starting with OS X 10.11

CERTPROB_MULTIPLE_CN

CERTPROB_MULTIPLE_CN = -226

There is more than one CN in the certificate

INFRA_ETLR

INFRA_ETLR = INFRA_ETLR

INFRA_NRO_SP

INFRA_NRO_SP = INFRA_NRO_SP

INFRA_NRO_IDP

INFRA_NRO_IDP = INFRA_NRO_IdP

INFRA_SP_RADIUS

INFRA_SP_RADIUS = INFRA_SP_RADIUS

INFRA_IDP_RADIUS

INFRA_IDP_RADIUS = INFRA_IdP_RADIUS

INFRA_IDP_AUTHBACKEND

INFRA_IDP_AUTHBACKEND = INFRA_IDP_AUTHBACKEND

INFRA_SP_80211

INFRA_SP_80211 = INFRA_SP_80211

INFRA_SP_LAN

INFRA_SP_LAN = INFRA_SP_LAN

INFRA_DEVICE

INFRA_DEVICE = INFRA_DEVICE

INFRA_NONEXISTENTREALM

INFRA_NONEXISTENTREALM = INFRA_NONEXISTENTREALM

STATUS_GOOD

STATUS_GOOD = 0

STATUS_PARTIAL

STATUS_PARTIAL = -1

STATUS_DOWN

STATUS_DOWN = -2

STATUS_MONITORINGFAIL

STATUS_MONITORINGFAIL = -3

L_OK

L_OK = 0

L_REMARK

L_REMARK = 4

L_WARN

L_WARN = 32

L_ERROR

L_ERROR = 256

RADIUS_TEST_OPERATION_MODE_SHALLOW

RADIUS_TEST_OPERATION_MODE_SHALLOW = 1

RADIUS_TEST_OPERATION_MODE_THOROUGH

RADIUS_TEST_OPERATION_MODE_THOROUGH = 2

LINEPARSE_CHECK_REJECTIGNORE

LINEPARSE_CHECK_REJECTIGNORE = 1

LINEPARSE_CHECK_691

LINEPARSE_CHECK_691 = 2

LINEPARSE_EAPACK

LINEPARSE_EAPACK = 3

Properties

$returnCodes

$returnCodes : mixed|string|int

generic return codes

Type

mixed|string|int —

$possibleFailureReasons

$possibleFailureReasons : 

Type

$additionalFindings

$additionalFindings : 

Type

$UDP_reachability_result

$UDP_reachability_result : 

Type

$loggerInstance

$loggerInstance : \core\common\Logging

We occasionally log stuff (debug/audit). Have an initialised Logging instance nearby is sure helpful.

Type

\core\common\Logging —

$languageInstance

$languageInstance : \core\common\Language

access to language settings to be able to switch textDomain

Type

\core\common\Language —

$UDP_reachability_executed

$UDP_reachability_executed : 

The variables below maintain state of the result of previous checks.

Type

$errorlist

$errorlist : 

Type

$realm

$realm : 

This private variable contains the realm to be checked. Is filled in the class constructor.

Type

$outerUsernameForChecks

$outerUsernameForChecks : 

Type

$expectedCABundle

$expectedCABundle : 

Type

$expectedServerNames

$expectedServerNames : 

Type

$supportedEapTypes

$supportedEapTypes : mixed|string|int

the list of EAP types which the IdP allegedly supports.

Type

mixed|string|int —

$opMode

$opMode : 

Type

Methods

__construct()

__construct(  realm,   outerUsernameForChecks, mixed|string|int  supportedEapTypes = [], mixed|string|int  expectedServerNames = [], mixed|string|int  expectedCABundle = []) 

Constructor for the EAPTests class. The single mandatory parameter is the realm for which the tests are to be carried out.

Logs the start of lifetime of the entity to the debug log on levels 3 and higher.

Parameters

realm
outerUsernameForChecks
mixed|string|int supportedEapTypes

(array of integer representations of EAP types)

mixed|string|int expectedServerNames

(array of strings)

mixed|string|int expectedCABundle

(array of PEM blocks)

__destruct()

__destruct() 

destroys the entity.

Logs the end of lifetime of the entity to the debug log on level 5.

createTemporaryDirectory()

createTemporaryDirectory(  purpose = installer,   failIsFatal = 1) : mixed|string|int

create a temporary directory and return the location

Parameters

purpose

one of 'installer', 'logo', 'test' defined the purpose of the directory

failIsFatal

decides if a creation failure should cause an error; defaults to true

Returns

mixed|string|int —

the tuple of: base path, absolute path for directory, directory name

rrmdir()

rrmdir(  dir) 

this direcory delete function has been copied from PHP documentation

Parameters

dir

name of the directory to delete

listerrors()

listerrors() : mixed|string|int

This function returns an array of errors which were encountered in all the tests.

Returns

mixed|string|int —

all the errors

udpReachability()

udpReachability(  probeindex,   opnameCheck = TRUE,   frag = TRUE) : 

This function performs actual authentication checks with MADE-UP credentials.

Its purpose is to check if a RADIUS server is reachable and speaks EAP. The function fills array RADIUSTests::UDP_reachability_result[$probeindex] with all check detail in case more than the return code is needed/wanted by the caller

Parameters

probeindex

refers to the specific UDP-host in the config that should be checked

opnameCheck

should we check choking on Operator-Name?

frag

should we cause UDP fragmentation? (Warning: makes use of Operator-Name!)

Returns

returncode

udpLogin()

udpLogin(  probeindex, mixed|string|int  eaptype,   innerUser,   password,   opnameCheck = TRUE,   frag = TRUE,   clientcertdata = NULL) : 

The big Guy. This performs an actual login with EAP and records how far it got and what oddities were observed along the way

Parameters

probeindex

the probe we are connecting to (as set in product config)

mixed|string|int eaptype

EAP type to use for connection

innerUser

inner username to try

password

password to try

opnameCheck

whether or not we check with Operator-Name set

frag

whether or not we check with an oversized packet forcing fragmentation

clientcertdata

client certificate credential to try

Throws

\Exception

Returns

overall return code of the login test

consolidateUdpResult()

consolidateUdpResult( host) 

Parameters

host

normaliseResultSet()

normaliseResultSet() 

turns $this->possibleFailureReasons into something where the sum of all occurence factors is 1. A bit like a probability distribution, but they are not actual probabilities.

printDN()

printDN( distinguishedName) 

Parameters

distinguishedName

printTm()

printTm( time) 

Parameters

time

propertyCheckServercert()

propertyCheckServercert(mixed|string|int  servercert) : mixed|string|int

This function parses a X.509 server cert and checks if it finds client device incompatibilities

Parameters

mixed|string|int servercert

the properties of the certificate as returned by processCertificate(), $servercert is modified, if CRL is defied, it is downloaded and added to the array incoming_server_names, sAN_DNS and CN array values are also defined

Returns

mixed|string|int —

of oddities; the array is empty if everything is fine

propertyCheckIntermediate()

propertyCheckIntermediate(mixed|string|int  intermediateCa,  serverCert = FALSE) : mixed|string|int

This function parses a X.509 intermediate CA cert and checks if it finds client device incompatibilities

Parameters

mixed|string|int intermediateCa

the properties of the certificate as returned by processCertificate()

serverCert

Returns

mixed|string|int —

of oddities; the array is empty if everything is fine

addCrltoCert()

addCrltoCert(mixed|string|int  cert) : 

There is a CRL Distribution Point URL in the certificate. So download the CRL and attach it to the cert structure so that we can later find out if the cert was revoked

Parameters

mixed|string|int cert

by-reference: the cert data we are writing into

Returns

result code whether we were successful in retrieving the CRL

redact()

redact(  stringToRedact, mixed|string|int  inputarray) : string|string|int

We don't want to write passwords of the live login test to our logs. Filter them out

Parameters

stringToRedact

what should be redacted

mixed|string|int inputarray

array of strings (outputs of eapol_test command)

Returns

string|string|int —

the output of eapol_test with the password redacted

filterPackettype()

filterPackettype(mixed|string|int  inputarray) : mixed|string|int

Filters eapol_test output and finds out the packet codes out of which the conversation was comprised of

Parameters

mixed|string|int inputarray

array of strings (outputs of eapol_test command)

Returns

mixed|string|int —

the packet codes which were exchanged, in sequence

checkLineparse()

checkLineparse(mixed|string|int  inputarray,   desiredCheck) : 

this function checks for various special conditions which can be found only by parsing eapol_test output line by line. Checks currently implemented are: * if the ETLRs sent back an Access-Reject because there appeared to be a timeout further downstream * did the server send an MSCHAP Error 691 - Retry Allowed in a Challenge instead of an outright reject? * was an EAP method ever acknowledged by both sides during the EAP conversation

Parameters

mixed|string|int inputarray

array of strings (outputs of eapol_test command)

desiredCheck

which test should be run (see constants above)

Returns

returns TRUE if ETLR Reject logic was detected; FALSE if not

wpaSupplicantConfig()

wpaSupplicantConfig(mixed|string|int  eaptype,   inner,   outer,   password) : string|string|int

Parameters

mixed|string|int eaptype

array representation of the EAP type

inner

inner username

outer

outer username

password

the password

Returns

string|string|int —

[0] is the actual config for wpa_supplicant, [1] is a redacted version for logs

packetCountEvaluation()

packetCountEvaluation( testresults,  packetcount) 

Parameters

testresults
packetcount

eapolTestConfig()

eapolTestConfig(  probeindex,   opName,   frag) : 

generate an eapol_test command-line config for the fixed config filename

./udp_login_test.conf

Parameters

probeindex

number of the probe to check against

opName

include Operator-Name in request?

frag

make request so large that fragmentation is needed?

Returns

the command-line for eapol_test

thoroughChainChecks()

thoroughChainChecks( testresults,  intermOdditiesCAT,  tmpDir,  servercert,  eapIntermediates,  eapIntermediateCRLs) 

Parameters

testresults
intermOdditiesCAT
tmpDir
servercert
eapIntermediates
eapIntermediateCRLs

thoroughNameChecks()

thoroughNameChecks( servercert,  testresults) 

Parameters

servercert
testresults

executeEapolTest()

executeEapolTest( tmpDir,  probeindex,  eaptype,  innerUser,  password,  opnameCheck,  frag) 

Parameters

tmpDir
probeindex
eaptype
innerUser
password
opnameCheck
frag