2 files changed, 24 insertions, 10 deletions

diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 74e8827ef..0a4a88bf8 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -42,6 +42,11 @@ airbag.enable()
 autologout_file = "/etc/profile.d/autologout.sh"
 radius_config_file = "/etc/pam_radius_auth.conf"
 
+# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec
+MAX_RADIUS_TIMEOUT: int = 50
+# MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout)
+MAX_RADIUS_COUNT: int = 25
+
 def get_local_users():
     """Return list of dynamically allocated users (see Debian Policy Manual)"""
     local_users = []
@@ -124,18 +129,27 @@ def verify(login):
     if 'radius' in login:
         if 'server' not in login['radius']:
             raise ConfigError('No RADIUS server defined!')
-
+        sum_timeout: int = 0
+        radius_servers_count: int = 0
         fail = True
         for server, server_config in dict_search('radius.server', login).items():
             if 'key' not in server_config:
                 raise ConfigError(f'RADIUS server "{server}" requires key!')
-
-            if 'disabled' not in server_config:
+            if 'disable' not in server_config:
+                sum_timeout += int(server_config['timeout'])
+                radius_servers_count += 1
                 fail = False
-                continue
+
         if fail:
             raise ConfigError('All RADIUS servers are disabled')
 
+        if radius_servers_count > MAX_RADIUS_COUNT:
+            raise ConfigError('Number of RADIUS servers more than 25 ')
+
+        if sum_timeout > MAX_RADIUS_TIMEOUT:
+            raise ConfigError('Sum of RADIUS servers timeouts '
+                              'has to be less or eq 50 sec')
+
         verify_vrf(login['radius'])
 
         if 'source_address' in login['radius']:
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index bf5d3ac84..68da70d7d 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -47,7 +47,7 @@ def get_hash(password):
     return crypt(password, mksalt(METHOD_SHA512))
 
 
-def T2665_default_dict_cleanup(origin: dict, default_values: dict) -> dict:
+def _default_dict_cleanup(origin: dict, default_values: dict) -> dict:
     """
     https://vyos.dev/T2665
     Clear unnecessary key values in merged config by dict_merge function
@@ -63,7 +63,7 @@ def T2665_default_dict_cleanup(origin: dict, default_values: dict) -> dict:
         del origin['authentication']['local_users']['username']['otp']
         if not origin["authentication"]["local_users"]["username"]:
             raise ConfigError(
-                'Openconnect mode local required at least one user')
+                'Openconnect authentication mode local requires at least one user')
         default_ocserv_usr_values = \
         default_values['authentication']['local_users']['username']['otp']
         for user, params in origin['authentication']['local_users'][
@@ -82,7 +82,7 @@ def T2665_default_dict_cleanup(origin: dict, default_values: dict) -> dict:
         del origin['authentication']['radius']['server']['port']
         if not origin["authentication"]['radius']['server']:
             raise ConfigError(
-                'Openconnect authentication mode radius required at least one radius server')
+                'Openconnect authentication mode radius requires at least one RADIUS server')
         default_values_radius_port = \
         default_values['authentication']['radius']['server']['port']
         for server, params in origin['authentication']['radius'][
@@ -95,7 +95,7 @@ def T2665_default_dict_cleanup(origin: dict, default_values: dict) -> dict:
         del origin['accounting']['radius']['server']['port']
         if not origin["accounting"]['radius']['server']:
             raise ConfigError(
-                'Openconnect accounting mode radius required at least one radius server')
+                'Openconnect accounting mode radius requires at least one RADIUS server')
         default_values_radius_port = \
             default_values['accounting']['radius']['server']['port']
         for server, params in origin['accounting']['radius'][
@@ -120,7 +120,7 @@ def get_config(config=None):
     default_values = defaults(base)
     ocserv = dict_merge(default_values, ocserv)
     # workaround a "know limitation" - https://vyos.dev/T2665
-    ocserv = T2665_default_dict_cleanup(ocserv, default_values)
+    ocserv = _default_dict_cleanup(ocserv, default_values)
     if ocserv:
         ocserv['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
                                 get_first_key=True, no_tag_node_value_mangle=True)