diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-08-26 18:17:31 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2021-08-26 18:21:05 +0200 |
commit | 9471a9bac452c2c5600ef5d91dd842c8e084e8d6 (patch) | |
tree | 96e671aca064182cb342b598eb6ce01a64e3b980 | |
parent | 3cca26f6dcf74ae430cc557f67a4116adaec19fe (diff) | |
download | vyos-1x-9471a9bac452c2c5600ef5d91dd842c8e084e8d6.tar.gz vyos-1x-9471a9bac452c2c5600ef5d91dd842c8e084e8d6.zip |
ipsec: T1210: support road-warrior IP assignment via RADIUS Framed-IP-Address
Extended CLI command: "set vpn ipsec remote-access connection rw pool" with a
"radius" option.
-rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 12 | ||||
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 24 |
2 files changed, 29 insertions, 7 deletions
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index b28c86ae6..b0dba4bce 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -771,11 +771,19 @@ <help>Pool name used for IP address assignments</help> <completionHelp> <path>vpn ipsec remote-access pool</path> - <list>dhcp</list> + <list>dhcp radius</list> </completionHelp> <valueHelp> <format>txt</format> - <description>Pool name</description> + <description>Name of predefined IP pool</description> + </valueHelp> + <valueHelp> + <format>dhcp</format> + <description>Forward requests for virtual IP addresses to a DHCP server</description> + </valueHelp> + <valueHelp> + <format>radius</format> + <description>Forward requests for virtual IP addresses to a RADIUS server</description> </valueHelp> <multi/> </properties> diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index d3065fc47..ff6090e22 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -286,20 +286,34 @@ def verify(ipsec): if 'pre_shared_secret' not in ra_conf['authentication']: raise ConfigError(f"Missing pre-shared-key on {name} remote-access config") + if 'client_mode' not in ra_conf['authentication']: + raise ConfigError('Client authentication method is required!') - if 'client_mode' in ra_conf['authentication']: - if ra_conf['authentication']['client_mode'] == 'eap-radius': - if 'radius' not in ipsec['remote_access'] or 'server' not in ipsec['remote_access']['radius'] or len(ipsec['remote_access']['radius']['server']) == 0: - raise ConfigError('RADIUS authentication requires at least one server') + if dict_search('authentication.client_mode', ra_conf) == 'eap-radius': + if dict_search('remote_access.radius.server', ipsec) == None: + raise ConfigError('RADIUS authentication requires at least one server') if 'pool' in ra_conf: + if {'dhcp', 'radius'} <= set(ra_conf['pool']): + raise ConfigError(f'Can not use both DHCP and RADIUS for address allocation '\ + f'at the same time for "{name}"!') + if 'dhcp' in ra_conf['pool'] and len(ra_conf['pool']) > 1: - raise ConfigError(f'Can not use both DHCP and a predefined address pool for "{name}"!') + raise ConfigError(f'Can not use DHCP and a predefined address pool for "{name}"!') + + if 'radius' in ra_conf['pool'] and len(ra_conf['pool']) > 1: + raise ConfigError(f'Can not use RADIUS and a predefined address pool for "{name}"!') for pool in ra_conf['pool']: if pool == 'dhcp': if dict_search('remote_access.dhcp.server', ipsec) == None: raise ConfigError('IPSec DHCP server is not configured!') + elif pool == 'radius': + if dict_search('remote_access.radius.server', ipsec) == None: + raise ConfigError('IPSec RADIUS server is not configured!') + + if dict_search('authentication.client_mode', ra_conf) != 'eap-radius': + raise ConfigError('RADIUS IP pool requires eap-radius client authentication!') elif 'pool' not in ipsec['remote_access'] or pool not in ipsec['remote_access']['pool']: raise ConfigError(f'Requested pool "{pool}" does not exist!') |