psPAS

6.0.30

Private/Send-RADIUSResponse.ps1

                                Function Send-RADIUSResponse {

    <#

    .SYNOPSIS

    Sends RADIUS challenge response as part of PAS logon process

    .DESCRIPTION

    psPAS helper function.

    Sends (RADIUS) logon request to Invoke-PASRestMethod,

    if response indicates RADIUS challenge, prompts for input.

    .PARAMETER LogonRequest

    The required parameters for PAS logon as defined in New-PASSession

    .PARAMETER Message

    An optional message to display as a prompt detailing the RADIUS challenge criteria

    .PARAMETER OTP

    An optional OTP value to provide as challenge response.

    .EXAMPLE

    Send-RADIUSResponse -LogonRequest $LogonRequest -Message "Some Message"

    #>

    [CmdletBinding()]

    param(

        [parameter(

            Mandatory = $true,

            ValueFromPipelineByPropertyName = $true)]

        [hashtable]$LogonRequest,

        [parameter(

            Mandatory = $false,

            ValueFromPipelineByPropertyName = $true)]

        [string]$Message,

        [parameter(

            Mandatory = $false,

            ValueFromPipelineByPropertyName = $true)]

        [string]$OTP

    )

    Begin {

        #Default value for the Read-Host prompt.

        $Prompt = 'Enter OTP'

    }

    Process {

        #OTP value has not yet been provided.

        #Initial RADIUS auth attempt will trigger notification of OTP for user to provide.

        #?"passcode" remains an option for backward compatibility.

        If ((-not ($PSBoundParameters.ContainsKey('OTP'))) -or ($PSBoundParameters['OTP'] -match 'passcode')) {

            If ($null -ne $Message) {

                #*The message from the exception containing challenge instructions from the RADIUS server.

                $Prompt = $Message

            }

            #Prompt user for OTP or Challenge Response

            $OTP = $(Read-Host -Prompt $Prompt)

        }

        #Construct Request Body with $OTP value as RADIUS response

        $Body = $LogonRequest['Body'] | ConvertFrom-Json | Select-Object username

        $Body | Add-Member -MemberType NoteProperty -Name 'Password' -Value $OTP -Force

        $LogonRequest['Body'] = $Body | ConvertTo-Json

        try {

            #Respond to RADIUS challenge

            Invoke-PASRestMethod @LogonRequest

        } catch {

            if ($PSItem.FullyQualifiedErrorId -notmatch 'ITATS542I') {

                #Throw all errors not related to ITATS542I

                throw $PSItem

            } Else {

                #ITATS542I indicates further challenge required

                #pass $LogonRequest and challenge message back into this function

                Send-RADIUSResponse -LogonRequest $LogonRequest -Message "$($PSItem.Exception.Message)"

            }

        }

    }

    End {}

}