summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-08-26 18:17:31 +0200
committerChristian Poessinger <christian@poessinger.com>2021-08-26 18:21:05 +0200
commit9471a9bac452c2c5600ef5d91dd842c8e084e8d6 (patch)
tree96e671aca064182cb342b598eb6ce01a64e3b980
parent3cca26f6dcf74ae430cc557f67a4116adaec19fe (diff)
downloadvyos-1x-9471a9bac452c2c5600ef5d91dd842c8e084e8d6.tar.gz
vyos-1x-9471a9bac452c2c5600ef5d91dd842c8e084e8d6.zip
ipsec: T1210: support road-warrior IP assignment via RADIUS Framed-IP-Address
Extended CLI command: "set vpn ipsec remote-access connection rw pool" with a "radius" option.
-rw-r--r--interface-definitions/vpn_ipsec.xml.in12
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py24
2 files changed, 29 insertions, 7 deletions
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index b28c86ae6..b0dba4bce 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -771,11 +771,19 @@
<help>Pool name used for IP address assignments</help>
<completionHelp>
<path>vpn ipsec remote-access pool</path>
- <list>dhcp</list>
+ <list>dhcp radius</list>
</completionHelp>
<valueHelp>
<format>txt</format>
- <description>Pool name</description>
+ <description>Name of predefined IP pool</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dhcp</format>
+ <description>Forward requests for virtual IP addresses to a DHCP server</description>
+ </valueHelp>
+ <valueHelp>
+ <format>radius</format>
+ <description>Forward requests for virtual IP addresses to a RADIUS server</description>
</valueHelp>
<multi/>
</properties>
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index d3065fc47..ff6090e22 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -286,20 +286,34 @@ def verify(ipsec):
if 'pre_shared_secret' not in ra_conf['authentication']:
raise ConfigError(f"Missing pre-shared-key on {name} remote-access config")
+ if 'client_mode' not in ra_conf['authentication']:
+ raise ConfigError('Client authentication method is required!')
- if 'client_mode' in ra_conf['authentication']:
- if ra_conf['authentication']['client_mode'] == 'eap-radius':
- if 'radius' not in ipsec['remote_access'] or 'server' not in ipsec['remote_access']['radius'] or len(ipsec['remote_access']['radius']['server']) == 0:
- raise ConfigError('RADIUS authentication requires at least one server')
+ if dict_search('authentication.client_mode', ra_conf) == 'eap-radius':
+ if dict_search('remote_access.radius.server', ipsec) == None:
+ raise ConfigError('RADIUS authentication requires at least one server')
if 'pool' in ra_conf:
+ if {'dhcp', 'radius'} <= set(ra_conf['pool']):
+ raise ConfigError(f'Can not use both DHCP and RADIUS for address allocation '\
+ f'at the same time for "{name}"!')
+
if 'dhcp' in ra_conf['pool'] and len(ra_conf['pool']) > 1:
- raise ConfigError(f'Can not use both DHCP and a predefined address pool for "{name}"!')
+ raise ConfigError(f'Can not use DHCP and a predefined address pool for "{name}"!')
+
+ if 'radius' in ra_conf['pool'] and len(ra_conf['pool']) > 1:
+ raise ConfigError(f'Can not use RADIUS and a predefined address pool for "{name}"!')
for pool in ra_conf['pool']:
if pool == 'dhcp':
if dict_search('remote_access.dhcp.server', ipsec) == None:
raise ConfigError('IPSec DHCP server is not configured!')
+ elif pool == 'radius':
+ if dict_search('remote_access.radius.server', ipsec) == None:
+ raise ConfigError('IPSec RADIUS server is not configured!')
+
+ if dict_search('authentication.client_mode', ra_conf) != 'eap-radius':
+ raise ConfigError('RADIUS IP pool requires eap-radius client authentication!')
elif 'pool' not in ipsec['remote_access'] or pool not in ipsec['remote_access']['pool']:
raise ConfigError(f'Requested pool "{pool}" does not exist!')