From 0b3bfe97b617b08ab9fd6682a0875c75c8a7bc5c Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Wed, 17 Aug 2022 21:03:50 -0400 Subject: T3896: Use group selector and forced dns tunneling Enterprise RADIUS configurations often utilize group selectors for authentication and attribute distribution for connecting clients. Ocserv implements this functionality via the `select-group` config file attribute, repeating for multiple groups. When a user selects their membership group and the request is passed to the RADIUS server, ocserv will match the returned Class attribute against the value selected by the user. This functionality also works for local group membership resolution, although VyOS currently doesn't have group membership configuration for this. Expose the tunnel-all-dns option in the ocserv config file allowing users who deploy default routes to select split-dns and those who do not to enable full DNS tunneling. Testing: Smoketests & build Configured groups in openconnect profile and verified existence in /run/ocserv/ocserv.conf Configured forced dns tunneling and verified presence of setting in /run/ocserv/ocserv.conf --- data/templates/ocserv/ocserv_config.j2 | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'data/templates/ocserv') diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 1cbb52ccf..5d5a4101b 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -7,11 +7,11 @@ run-as-user = nobody run-as-group = daemon {% if "radius" in authentication.mode %} -{% if "yes" in authentication.radius.groupconfig %} +{% if "yes" in authentication.radius.groupconfig %} auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]" -{% else %} +{% else %} auth = "radius [config=/run/ocserv/radiusclient.conf]" -{% endif %} +{% endif %} {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" @@ -66,6 +66,13 @@ device = sslvpn dns = {{ dns }} {% endfor %} {% endif %} +{% if network_settings.tunnel_all_dns is vyos_defined %} +{% if "yes" in network_settings.tunnel_all_dns %} +tunnel-all-dns = true +{% else %} +tunnel-all-dns = false +{% endif %} +{% endif %} # IPv4 network pool {% if network_settings.client_ip_settings.subnet is vyos_defined %} @@ -89,3 +96,10 @@ route = {{ route }} split-dns = {{ tmp }} {% endfor %} {% endif %} + +{% if authentication.groups is vyos_defined %} +# Group settings +{% for grp in authentication.groups %} +select-group = {{ grp }} +{% endfor %} +{% endif %} \ No newline at end of file -- cgit v1.2.3