diff options
author | Daniil Baturin <daniil@vyos.io> | 2024-04-22 18:09:07 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-04-22 18:09:07 +0200 |
commit | 428d793ef162cc3e61af0fbc89963898e6b3988d (patch) | |
tree | 8e4f43002a20d046edf1c9dba703b5517595ff25 | |
parent | 2208c846d6bffeecac99afa7ebc3eda5c467aebc (diff) | |
parent | 162a0f0d746f7789a676332ec04dba65fefd6d4e (diff) | |
download | vyos-1x-428d793ef162cc3e61af0fbc89963898e6b3988d.tar.gz vyos-1x-428d793ef162cc3e61af0fbc89963898e6b3988d.zip |
Merge pull request #3341 from vyos/mergify/bp/sagitta/pr-3337
T6237: IPSec remote access VPN: ability to set EAP ID of clients (backport #3337)
-rw-r--r-- | data/templates/ipsec/swanctl/remote_access.j2 | 2 | ||||
-rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 20 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 5 |
3 files changed, 26 insertions, 1 deletions
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2 index adfa32bde..6bced88c7 100644 --- a/data/templates/ipsec/swanctl/remote_access.j2 +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -33,7 +33,7 @@ auth = pubkey {% elif rw_conf.authentication.client_mode.startswith("eap") %} auth = {{ rw_conf.authentication.client_mode }} - eap_id = %any + eap_id = {{ '%any' if rw_conf.authentication.eap_id == 'any' else rw_conf.authentication.eap_id }} {% endif %} {% if rw_conf.authentication.client_mode is vyos_defined('eap-tls') or rw_conf.authentication.client_mode is vyos_defined('x509') %} {# pass all configured CAs as filenames, separated by commas #} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 833019d68..7f425d982 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -768,6 +768,26 @@ <children> #include <include/ipsec/authentication-id.xml.i> #include <include/ipsec/authentication-x509.xml.i> + <leafNode name="eap-id"> + <properties> + <help>Remote EAP ID for client authentication</help> + <valueHelp> + <format>txt</format> + <description>Remote EAP ID for client authentication</description> + </valueHelp> + <completionHelp> + <list>any</list> + </completionHelp> + <valueHelp> + <format>any</format> + <description>Allow any EAP ID</description> + </valueHelp> + <constraint> + <regex>[[:ascii:]]{1,64}</regex> + </constraint> + </properties> + <defaultValue>any</defaultValue> + </leafNode> <leafNode name="client-mode"> <properties> <help>Client authentication mode</help> diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 145b5990e..27356d70e 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -782,6 +782,11 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}.pem'))) self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem'))) + # Test setting of custom EAP ID + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'eap-id', 'eap-user@vyos.net']) + self.cli_commit() + self.assertIn(r'eap_id = eap-user@vyos.net', read_file(swanctl_file)) + self.tearDownPKI() def test_remote_access_x509(self): |