From a87ada1c4e9d5a426282c900207964d09d2a1020 Mon Sep 17 00:00:00 2001 From: RageLtMan <rageltman [at] sempervictus> Date: Wed, 17 Aug 2022 18:05:02 -0400 Subject: T3896: Drop cserv local user req, add groupconfig From ocserv documentation: ``` If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from radius. That also includes the Acct-Interim-Interval, and Session-Timeout values. ``` Implement yes/no configuration and parameter handling during jinja rendering. Fix bug wherein openconnect-server configuration requires creation of local user accounts even when RADIUS authentication is used. Testing: Set the groupconfig=yes param and observed change in generated /run/ocserv/ocserv.conf. Removed the local users via `delete vpn openconnect authentication local-users` and observed commit & service operation --- data/templates/ocserv/ocserv_config.j2 | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'data/templates/ocserv/ocserv_config.j2') diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index e0cad5181..1cbb52ccf 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -7,7 +7,11 @@ run-as-user = nobody run-as-group = daemon {% if "radius" in authentication.mode %} +{% if "yes" in authentication.radius.groupconfig %} +auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]" +{% else %} auth = "radius [config=/run/ocserv/radiusclient.conf]" +{% endif %} {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" -- cgit v1.2.3 From 0b3bfe97b617b08ab9fd6682a0875c75c8a7bc5c Mon Sep 17 00:00:00 2001 From: RageLtMan <rageltman [at] sempervictus> Date: Wed, 17 Aug 2022 21:03:50 -0400 Subject: T3896: Use group selector and forced dns tunneling Enterprise RADIUS configurations often utilize group selectors for authentication and attribute distribution for connecting clients. Ocserv implements this functionality via the `select-group` config file attribute, repeating for multiple groups. When a user selects their membership group and the request is passed to the RADIUS server, ocserv will match the returned Class attribute against the value selected by the user. This functionality also works for local group membership resolution, although VyOS currently doesn't have group membership configuration for this. Expose the tunnel-all-dns option in the ocserv config file allowing users who deploy default routes to select split-dns and those who do not to enable full DNS tunneling. Testing: Smoketests & build Configured groups in openconnect profile and verified existence in /run/ocserv/ocserv.conf Configured forced dns tunneling and verified presence of setting in /run/ocserv/ocserv.conf --- data/templates/ocserv/ocserv_config.j2 | 20 ++++++++++++++++--- interface-definitions/vpn-openconnect.xml.in | 30 ++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 3 deletions(-) (limited to 'data/templates/ocserv/ocserv_config.j2') diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 1cbb52ccf..5d5a4101b 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -7,11 +7,11 @@ run-as-user = nobody run-as-group = daemon {% if "radius" in authentication.mode %} -{% if "yes" in authentication.radius.groupconfig %} +{% if "yes" in authentication.radius.groupconfig %} auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]" -{% else %} +{% else %} auth = "radius [config=/run/ocserv/radiusclient.conf]" -{% endif %} +{% endif %} {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" @@ -66,6 +66,13 @@ device = sslvpn dns = {{ dns }} {% endfor %} {% endif %} +{% if network_settings.tunnel_all_dns is vyos_defined %} +{% if "yes" in network_settings.tunnel_all_dns %} +tunnel-all-dns = true +{% else %} +tunnel-all-dns = false +{% endif %} +{% endif %} # IPv4 network pool {% if network_settings.client_ip_settings.subnet is vyos_defined %} @@ -89,3 +96,10 @@ route = {{ route }} split-dns = {{ tmp }} {% endfor %} {% endif %} + +{% if authentication.groups is vyos_defined %} +# Group settings +{% for grp in authentication.groups %} +select-group = {{ grp }} +{% endfor %} +{% endif %} \ No newline at end of file diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 3ab8dd815..54f93344b 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -50,6 +50,16 @@ </leafNode> </children> </node> + <leafNode name="groups"> + <properties> + <help>Groups that a client is allowed to select from. Maps to RADIUS Class attribute.</help> + <valueHelp> + <format>txt</format> + <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description> + </valueHelp> + <multi/> + </properties> + </leafNode> #include <include/auth-local-users.xml.i> <node name="local-users"> <children> @@ -298,6 +308,26 @@ <multi/> </properties> </leafNode> + <leafNode name="tunnel-all-dns"> + <properties> + <help>If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set.</help> + <completionHelp> + <list>yes no</list> + </completionHelp> + <valueHelp> + <format>yes</format> + <description>Enable tunneling of all DNS traffic</description> + </valueHelp> + <valueHelp> + <format>no</format> + <description>Disable tunneling of all DNS traffic</description> + </valueHelp> + <constraint> + <regex>(yes|no)</regex> + </constraint> + </properties> + <defaultValue>no</defaultValue> + </leafNode> </children> </node> </children> -- cgit v1.2.3 From 4a5e4cfd6c11a6eed3252744ec45638249d6d2b1 Mon Sep 17 00:00:00 2001 From: RageLtMan <rageltman [at] sempervictus> Date: Thu, 18 Aug 2022 18:57:19 -0400 Subject: T3896: update groupconfig syntax per PR1463 Address @sever-sever's suggestion to refactor how groupconfig is defined, parsed, and set (with his proposed conditional string appending Py-sugar). Use the disable-mobike refactor as template for XML simplification. Testing: None yet --- data/templates/ocserv/ocserv_config.j2 | 6 +----- interface-definitions/vpn-openconnect.xml.in | 17 +---------------- 2 files changed, 2 insertions(+), 21 deletions(-) (limited to 'data/templates/ocserv/ocserv_config.j2') diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 5d5a4101b..fef49d30f 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -7,11 +7,7 @@ run-as-user = nobody run-as-group = daemon {% if "radius" in authentication.mode %} -{% if "yes" in authentication.radius.groupconfig %} -auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]" -{% else %} -auth = "radius [config=/run/ocserv/radiusclient.conf]" -{% endif %} +auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 54f93344b..7167b5d8d 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -156,23 +156,8 @@ </leafNode> <leafNode name="groupconfig"> <properties> - <help>If the groupconfig option is set to yes, then config-per-user will be overriden, and all configuration will be read from radius.</help> - <completionHelp> - <list>yes no</list> - </completionHelp> - <valueHelp> - <format>yes</format> - <description>Enable RADIUS acquisition of group properties</description> - </valueHelp> - <valueHelp> - <format>no</format> - <description>Disable RADIUS acquisition of group properties</description> - </valueHelp> - <constraint> - <regex>(yes|no)</regex> - </constraint> + <help>If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from radius.</help> </properties> - <defaultValue>no</defaultValue> </leafNode> </children> </node> -- cgit v1.2.3 From e5785ff748f93b66879d8bd0393c208c6df574a9 Mon Sep 17 00:00:00 2001 From: RageLtMan <rageltman [at] sempervictus> Date: Wed, 24 Aug 2022 21:36:32 -0400 Subject: T3896: update group syntax per PR1463 --- data/templates/ocserv/ocserv_config.j2 | 4 ++-- interface-definitions/vpn-openconnect.xml.in | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'data/templates/ocserv/ocserv_config.j2') diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index fef49d30f..1d105113d 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -93,9 +93,9 @@ split-dns = {{ tmp }} {% endfor %} {% endif %} -{% if authentication.groups is vyos_defined %} +{% if authentication.group is vyos_defined %} # Group settings -{% for grp in authentication.groups %} +{% for grp in authentication.group %} select-group = {{ grp }} {% endfor %} {% endif %} \ No newline at end of file diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 7167b5d8d..522465611 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -50,9 +50,9 @@ </leafNode> </children> </node> - <leafNode name="groups"> + <leafNode name="group"> <properties> - <help>Groups that a client is allowed to select from. Maps to RADIUS Class attribute.</help> + <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help> <valueHelp> <format>txt</format> <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description> -- cgit v1.2.3