From c9eaafd9f808aba8d29be73054e11d37577e539a Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 30 Dec 2023 23:25:20 +0100 Subject: T5474: establish common file name pattern for XML conf mode commands We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465) --- interface-definitions/vpn_openconnect.xml.in | 392 +++++++++++++++++++++++++++ 1 file changed, 392 insertions(+) create mode 100644 interface-definitions/vpn_openconnect.xml.in (limited to 'interface-definitions/vpn_openconnect.xml.in') diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in new file mode 100644 index 000000000..736084f8b --- /dev/null +++ b/interface-definitions/vpn_openconnect.xml.in @@ -0,0 +1,392 @@ + + + + + + + SSL VPN OpenConnect, AnyConnect compatible server + 901 + + + + + Accounting for users OpenConnect VPN Sessions + + + + + Accounting mode used by this server + + + + + Use RADIUS server for accounting + + + + + + #include + + + + + Authentication for remote access SSL VPN Server + + + + + Authentication mode used by this server + + + + + Use local username/password configuration (OTP supported) + + password + Password-only local authentication + + + otp + OTP-only local authentication + + + password-otp + Password (first) + OTP local authentication + + + (password|otp|password-otp) + + Invalid authentication mode. Must be one of: password, otp or password-otp + + otp password password-otp + + + + + + Use RADIUS server for user autentication + + + + + + + + Include configuration file by username or RADIUS group attribute + + + #include + + + Select per user or per group configuration file - ignored if authentication group is configured + + user group + + + user + Match configuration file on username + + + group + Match RADIUS response class attribute as file name + + + (user|group) + + Invalid mode, must be either user or group + + + + + Directory to containing configuration files + + path + Path to configuration directory, must be under /config/auth + + + + + + + + + Default configuration if discrete config could not be found + + filename + Default configuration filename, must be under /config/auth + + + + + + + + + + + Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute. + + txt + Group string. The group may be followed by a user-friendly name in brackets: group1[First Group] + + + + + #include + + + + + + + 2FA OTP authentication parameters + + + + + Token Key Secret key for the token algorithm (see RFC 4226) + + txt + OTP key in hex-encoded format + + + [a-fA-F0-9]{20,10000} + + Key name must only include hex characters and be at least 20 characters long + + + + + Number of digits in OTP code + + u32:6-8 + Number of digits in OTP code + + + + + Number of digits in OTP code must be between 6 and 8 + + 6 + + + + Time tokens interval in seconds + + u32:5-86400 + Time tokens interval in seconds. + + + + + Time token interval must be between 5 and 86400 seconds + + 30 + + + + Token type + + hotp-time + Time-based OTP algorithm + + + hotp-event + Event-based OTP algorithm + + + (hotp-time|hotp-event) + + + hotp-time hotp-event + + + hotp-time + + + + + + + + #include + + + #include + + + If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from RADIUS. + + + + + + + #include + + 0.0.0.0 + + + + Specify custom ports to use for client connections + + + + + tcp port number to accept connections + + u32:1-65535 + Numeric IP port + + + + + + 443 + + + + udp port number to accept connections + + u32:1-65535 + Numeric IP port + + + + + + 443 + + + + + + Enable HTTP security headers + + + + + + SSL Certificate, SSL Key and CA + + + #include + #include + + + + + Network settings + + + + + Route to be pushed to the client + + ipv4net + IPv4 network and prefix length + + + ipv6net + IPv6 network and prefix length + + + + + + + + + + Client IP pools settings + + + + + Client IP subnet (CIDR notation) + + ipv4net + IPv4 address and prefix length + + + + + Not a valid CIDR formatted prefix + + + + + + + Pool of client IPv6 addresses + + + + + Pool of addresses used to assign to clients + + ipv6net + IPv6 address and prefix length + + + + + + + + + Prefix length used for individual client + + u32:48-128 + Client prefix length + + + + + + 64 + + + + #include + + + Domains over which the provided DNS should be used + + txt + Client prefix length + + + + + + + + + + If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set. + + yes no + + + yes + Enable tunneling of all DNS traffic + + + no + Disable tunneling of all DNS traffic + + + (yes|no) + + + no + + + + + + + + -- cgit v1.2.3