From 2a023b878471500bd78962ca94d9174a328ce5c9 Mon Sep 17 00:00:00 2001
From: zsdc <taras@vyos.io>
Date: Wed, 13 Sep 2023 12:41:04 +0300
Subject: RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUS

In CLI we can choose authentication logic:

  - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
  be stopped and access denied immediately.
  - `optional` (default) - if RADIUS answers with `Access-Reject`,
  authentication continues using the next module.

In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
---
 src/conf_mode/system-login.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'src/conf_mode')

diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 02c97afaa..be5ff2d4c 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -104,6 +104,9 @@ def get_config(config=None):
     # prune TACACS global defaults if not set by user
     if login.from_defaults(['tacacs']):
         del login['tacacs']
+    # same for RADIUS
+    if login.from_defaults(['radius']):
+        del login['radius']
 
     # create a list of all users, cli and users
     all_users = list(set(local_users + cli_users))
@@ -377,11 +380,14 @@ def apply(login):
             except Exception as e:
                 raise ConfigError(f'Deleting user "{user}" raised exception: {e}')
 
-    # Enable RADIUS in PAM configuration
-    pam_cmd = '--remove'
+    # Enable/disable RADIUS in PAM configuration
+    cmd('pam-auth-update --disable radius-mandatory radius-optional')
     if 'radius' in login:
-        pam_cmd = '--enable'
-    cmd(f'pam-auth-update --package {pam_cmd} radius')
+        if login['radius'].get('security_mode', '') == 'mandatory':
+            pam_profile = 'radius-mandatory'
+        else:
+            pam_profile = 'radius-optional'
+        cmd(f'pam-auth-update --enable {pam_profile}')
 
     # Enable/Disable TACACS in PAM configuration
     pam_cmd = '--remove'
-- 
cgit v1.2.3