From dfb925494cc9f71c4a5931daa94e83a7bd34a406 Mon Sep 17 00:00:00 2001 From: Junaid Saeed Uppal Date: Tue, 23 Dec 2025 21:07:05 +0500 Subject: [PATCH] Implement proper MS-CHAPv2 authentication for MikroTik PPPoE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two-processor approach: 1. MSCHAPv2GetPassword: Uses *authorize + *attributes to fetch password from CGRateS attributes subsystem and get MaxUsage for session timeout 2. MSCHAPv2Auth: Uses *radauth + *mschapv2 to perform actual MS-CHAPv2 authentication with cryptographic proof (MS-CHAP2-Success) The password is read from ~*cgrep.Attributes.Password (set via Attributes.csv) and placed in *vars.UserPassword for the *radauth to use. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- cgrates.json | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/cgrates.json b/cgrates.json index 0e27af9..c148e1e 100644 --- a/cgrates.json +++ b/cgrates.json @@ -82,13 +82,34 @@ }, "request_processors": [ { - "id": "TestAuthSimple", + "id": "MSCHAPv2GetPassword", "filters": ["*string:~*vars.*radReqType:*radAuth"], - "flags": ["*none", "*log"], - "request_fields": [], + "flags": ["*authorize", "*attributes", "*accounts", "*continue", "*log"], + "request_fields": [ + {"tag": "Category", "path": "*cgreq.Category", "type": "*constant", "value": "call"}, + {"tag": "RequestType", "path": "*cgreq.RequestType", "type": "*constant", "value": "*prepaid", "mandatory": true}, + {"tag": "OriginID", "path": "*cgreq.OriginID", "type": "*composed", "value": "~*req.Acct-Session-Id", "mandatory": true}, + {"tag": "Account", "path": "*cgreq.Account", "type": "*composed", "value": "~*req.User-Name", "mandatory": true}, + {"tag": "Subject", "path": "*cgreq.Subject", "type": "*composed", "value": "~*req.User-Name", "mandatory": true}, + {"tag": "Destination", "path": "*cgreq.Destination", "type": "*constant", "value": "pppoe"}, + {"tag": "SetupTime", "path": "*cgreq.SetupTime", "type": "*constant", "value": "*now", "mandatory": true}, + {"tag": "AnswerTime", "path": "*cgreq.AnswerTime", "type": "*constant", "value": "*now", "mandatory": true} + ], "reply_fields": [ - {"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessAccept"}, - {"tag": "SessionTimeout", "path": "*rep.Session-Timeout", "type": "*constant", "value": "3600"} + {"tag": "MaxUsage", "path": "*rep.Session-Timeout", "type": "*composed", "value": "~*cgrep.MaxUsage{*duration_seconds}", "mandatory": true} + ] + }, + { + "id": "MSCHAPv2Auth", + "filters": ["*string:~*vars.*radReqType:*radAuth"], + "flags": ["*radauth", "*mschapv2", "*log"], + "request_fields": [ + {"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable", "value": "~*cgrep.Attributes.Password"} + ], + "reply_fields": [ + {"tag": "RemoveAddedFields", "filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"}, + {"tag": "Code", "path": "*rep.*radReplyCode", "filters": ["*notempty:~*cgrep.Error:"], "type": "*constant", "value": "AccessReject"}, + {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "filters": ["*notempty:~*cgrep.Error:"], "type": "*variable", "value": "~*cgrep.Error"} ] } ]