Implement proper MS-CHAPv2 authentication for MikroTik PPPoE

Two-processor approach: 1. MSCHAPv2GetPassword: Uses *authorize + *attributes to fetch password from CGRateS attributes subsystem and get MaxUsage for session timeout 2. MSCHAPv2Auth: Uses *radauth + *mschapv2 to perform actual MS-CHAPv2 authentication with cryptographic proof (MS-CHAP2-Success) The password is read from ~*cgrep.Attributes.Password (set via Attributes.csv) and placed in *vars.UserPassword for the *radauth to use. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-23 21:07:05 +05:00
parent 73753b5bc3
commit dfb925494c
1 changed files with 26 additions and 5 deletions
--- a/cgrates.json
+++ b/cgrates.json
@@ -82,13 +82,34 @@
 	},
 	"request_processors": [
 		{
-			"id": "TestAuthSimple",
+			"id": "MSCHAPv2GetPassword",
 			"filters": ["*string:~*vars.*radReqType:*radAuth"],
-			"flags": ["*none", "*log"],
-			"request_fields": [],
+			"flags": ["*authorize", "*attributes", "*accounts", "*continue", "*log"],
+			"request_fields": [
+				{"tag": "Category", "path": "*cgreq.Category", "type": "*constant", "value": "call"},
+				{"tag": "RequestType", "path": "*cgreq.RequestType", "type": "*constant", "value": "*prepaid", "mandatory": true},
+				{"tag": "OriginID", "path": "*cgreq.OriginID", "type": "*composed", "value": "~*req.Acct-Session-Id", "mandatory": true},
+				{"tag": "Account", "path": "*cgreq.Account", "type": "*composed", "value": "~*req.User-Name", "mandatory": true},
+				{"tag": "Subject", "path": "*cgreq.Subject", "type": "*composed", "value": "~*req.User-Name", "mandatory": true},
+				{"tag": "Destination", "path": "*cgreq.Destination", "type": "*constant", "value": "pppoe"},
+				{"tag": "SetupTime", "path": "*cgreq.SetupTime", "type": "*constant", "value": "*now", "mandatory": true},
+				{"tag": "AnswerTime", "path": "*cgreq.AnswerTime", "type": "*constant", "value": "*now", "mandatory": true}
+			],
 			"reply_fields": [
-				{"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessAccept"},
-				{"tag": "SessionTimeout", "path": "*rep.Session-Timeout", "type": "*constant", "value": "3600"}
+				{"tag": "MaxUsage", "path": "*rep.Session-Timeout", "type": "*composed", "value": "~*cgrep.MaxUsage{*duration_seconds}", "mandatory": true}
+			]
+		},
+		{
+			"id": "MSCHAPv2Auth",
+			"filters": ["*string:~*vars.*radReqType:*radAuth"],
+			"flags": ["*radauth", "*mschapv2", "*log"],
+			"request_fields": [
+				{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable", "value": "~*cgrep.Attributes.Password"}
+			],
+			"reply_fields": [
+				{"tag": "RemoveAddedFields", "filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+				{"tag": "Code", "path": "*rep.*radReplyCode", "filters": ["*notempty:~*cgrep.Error:"], "type": "*constant", "value": "AccessReject"},
+				{"tag": "ReplyMessage", "path": "*rep.Reply-Message", "filters": ["*notempty:~*cgrep.Error:"], "type": "*variable", "value": "~*cgrep.Error"}
 			]
 		}
 	]