summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2024-04-22 18:09:07 +0200
committerGitHub <noreply@github.com>2024-04-22 18:09:07 +0200
commit428d793ef162cc3e61af0fbc89963898e6b3988d (patch)
tree8e4f43002a20d046edf1c9dba703b5517595ff25
parent2208c846d6bffeecac99afa7ebc3eda5c467aebc (diff)
parent162a0f0d746f7789a676332ec04dba65fefd6d4e (diff)
downloadvyos-1x-428d793ef162cc3e61af0fbc89963898e6b3988d.tar.gz
vyos-1x-428d793ef162cc3e61af0fbc89963898e6b3988d.zip
Merge pull request #3341 from vyos/mergify/bp/sagitta/pr-3337
T6237: IPSec remote access VPN: ability to set EAP ID of clients (backport #3337)
-rw-r--r--data/templates/ipsec/swanctl/remote_access.j22
-rw-r--r--interface-definitions/vpn_ipsec.xml.in20
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py5
3 files changed, 26 insertions, 1 deletions
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index adfa32bde..6bced88c7 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -33,7 +33,7 @@
auth = pubkey
{% elif rw_conf.authentication.client_mode.startswith("eap") %}
auth = {{ rw_conf.authentication.client_mode }}
- eap_id = %any
+ eap_id = {{ '%any' if rw_conf.authentication.eap_id == 'any' else rw_conf.authentication.eap_id }}
{% endif %}
{% if rw_conf.authentication.client_mode is vyos_defined('eap-tls') or rw_conf.authentication.client_mode is vyos_defined('x509') %}
{# pass all configured CAs as filenames, separated by commas #}
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 833019d68..7f425d982 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -768,6 +768,26 @@
<children>
#include <include/ipsec/authentication-id.xml.i>
#include <include/ipsec/authentication-x509.xml.i>
+ <leafNode name="eap-id">
+ <properties>
+ <help>Remote EAP ID for client authentication</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Remote EAP ID for client authentication</description>
+ </valueHelp>
+ <completionHelp>
+ <list>any</list>
+ </completionHelp>
+ <valueHelp>
+ <format>any</format>
+ <description>Allow any EAP ID</description>
+ </valueHelp>
+ <constraint>
+ <regex>[[:ascii:]]{1,64}</regex>
+ </constraint>
+ </properties>
+ <defaultValue>any</defaultValue>
+ </leafNode>
<leafNode name="client-mode">
<properties>
<help>Client authentication mode</help>
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 145b5990e..27356d70e 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -782,6 +782,11 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}.pem')))
self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
+ # Test setting of custom EAP ID
+ self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'eap-id', 'eap-user@vyos.net'])
+ self.cli_commit()
+ self.assertIn(r'eap_id = eap-user@vyos.net', read_file(swanctl_file))
+
self.tearDownPKI()
def test_remote_access_x509(self):