#!/usr/bin/perl
# radius_auth.pl: reads information passed from Typhoon and
# authenticates against a RADIUS server.
# written by Daniel Erat <dan-radius_auth.pl@erat.org>, http://erat.org/

my $host = 'a.b.c.d:port';	# IP address and port of RADIUS server
my $secret = 'password';	# shared secret for RADIUS server (clear)
my $realm = 'example.com';	# realm that should be used for auth requests

##################################################

use Authen::Radius;
use Sys::Syslog qw(:DEFAULT setlogsock);
use strict;

# turn off buffering of stdout -- otherwise, typhoon will never get the
# output from this script.
$| = 1;

# init syslog
setlogsock ('unix');
openlog ('radius_auth.pl', 'pid', 'news');

# init radius
my $rad = new Authen::Radius (
  Host => $host,
  Secret => $secret 
);
Authen::Radius->load_dictionary;

##################################################

while (<>) {
  s/\r\n$//;

  # always require authentication
  if ($_ eq "Action: connect") {
    while (<>) {
      s/\r\n$//;
      last if ($_ eq ".");
    }
    print "480\r\n.\r\n";
  }

  # nothing to see here
  elsif ($_ eq "Action: disconnect") {
    while (<>) {
      s/\r\n$//;
      last if ($_ eq ".");
    }
  }

  elsif ($_ eq "Action: authenticate") {
    my $username, my $orig_username, my $password, my $ipaddr, my $type = 0;

    # read attributes
    while (<>) {
      s/\r\n$//;
      if (/^Username: (.*)/i) { $username = $1; }
      elsif (/^Password: (.*)/i) { $password = $1; }
      elsif (/^IPAddress: (.*)/i) { $ipaddr = $1; }
      elsif ($_ eq ".") { last; }
    }

    $orig_username = $username;
    $username =~ s/@.*//;
    $username .= "\@$realm";

    # build and send radius packet
    $rad->clear_attributes;
    $rad->add_attributes (
      { Name => 'User-Name', Value => $username },
      { Name => 'Password', Value => $password },
      # include any additional attributes that you need here
      # NAS-IP-Address and/or NAS-Identifier would be good ones
    );
    $rad->send_packet (ACCESS_REQUEST) and $type = $rad->recv_packet;

    # log result and give response to typhoon
    if ($type == ACCESS_ACCEPT) {
      syslog ('info', "success for \"$orig_username\" from $ipaddr");
      print "281\r\n.\r\n";
    } else {
      syslog ('info', "failure for \"$orig_username\" from $ipaddr");
      print "502\r\n.\r\n";
    }
  }
}