diff options
| author | Christian Poessinger <christian@poessinger.com> | 2019-11-18 21:07:07 +0100 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2019-11-23 20:44:02 +0100 |
| commit | dfa2f0e8ecd8a117bf47b64d7099d613f487d799 (patch) | |
| tree | 2a4151ea45a833abcc2854f313aed41bb19c38be | |
| parent | e6b269980faaaa2b3529cdb34e8f83c9f3c41b64 (diff) | |
| download | vyos-1x-dfa2f0e8ecd8a117bf47b64d7099d613f487d799.tar.gz vyos-1x-dfa2f0e8ecd8a117bf47b64d7099d613f487d799.zip | |
wireless: T1627: change RADIUS CLI syntax
Adopt RADIUS configuration and harmonize it with the rest of VyOS. Move the
following configuration block:
security {
wpa {
cipher CCMP
mode wpa2
radius-server 172.16.100.10 {
port 1812
secret secretkey
}
radius-server 172.16.100.11 {
port 1812
secret secretkey
}
}
}
to the harmonized version of:
security {
wpa {
cipher CCMP
mode wpa2
radius {
server 172.16.100.10 {
port 1812
secret secretkey
}
server 172.16.100.11 {
port 1812
secret secretkey
}
}
}
}
And add the new "set interfaces wireless wlan0 security wpa radius
source-address" CLI command to specify the origin of any RADIUS query on
systems having multiple IP addresses.
| -rw-r--r-- | interface-definitions/interfaces-wireless.xml | 65 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-wireless.py | 43 | ||||
| -rwxr-xr-x | src/migration-scripts/interfaces/3-to-4 | 33 |
3 files changed, 94 insertions, 47 deletions
diff --git a/interface-definitions/interfaces-wireless.xml b/interface-definitions/interfaces-wireless.xml index a1712cb33..f1928ee0c 100644 --- a/interface-definitions/interfaces-wireless.xml +++ b/interface-definitions/interfaces-wireless.xml @@ -744,46 +744,47 @@ <constraintErrorMessage>Invalid WPA pass phrase, must be 8 to 63 printable characters!</constraintErrorMessage> </properties> </leafNode> - <tagNode name="radius-server"> + <node name="radius"> <properties> - <help>RADIUS server authentication</help> - <valueHelp> - <format>ipv4</format> - <description>IPv4 address of RADIUS server</description> - </valueHelp> + <help>RADIUS specific configuration</help> </properties> <children> - <leafNode name="accounting"> - <properties> - <help>RADIUS server to receive accounting info (default: 1813)</help> - <valueHelp> - <format>1-65535</format> - <description>RADIUS server accounting port</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-65535"/> - </constraint> - </properties> - </leafNode> - <leafNode name="port"> + <tagNode name="server"> <properties> - <help>RADIUS server port (default: 1812)</help> + <help>RADIUS server</help> <valueHelp> - <format>1-65535</format> - <description>RADIUS server port</description> + <format>ipv4</format> + <description>IPv4 address of RADIUS server</description> </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-65535"/> - </constraint> - </properties> - </leafNode> - <leafNode name="secret"> - <properties> - <help>Secret for radius access</help> </properties> - </leafNode> + <children> + <leafNode name="accounting"> + <properties> + <help>Enable RADIUS server to receive accounting info</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="port"> + <properties> + <help>RADIUS server port (default: 1812)</help> + <valueHelp> + <format>1-65535</format> + <description>RADIUS server port</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + </leafNode> + <leafNode name="key"> + <properties> + <help>RADIUS shared secret key</help> + </properties> + </leafNode> + </children> + </tagNode> </children> - </tagNode> + </node> </children> </node> </children> diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py index b25205590..3b270a064 100755 --- a/src/conf_mode/interfaces-wireless.py +++ b/src/conf_mode/interfaces-wireless.py @@ -633,14 +633,24 @@ ieee8021x=1 # WPA-EAP-SHA256 = WPA2-Enterprise using SHA256 wpa_key_mgmt=WPA-EAP +{% if sec_wpa_radius_source -%} +# RADIUS client forced local IP address for the access point +# Normally the local IP address is determined automatically based on configured +# IP addresses, but this field can be used to force a specific address to be +# used, e.g., when the device has multiple IP addresses. +radius_client_addr={{ sec_wpa_radius_source }} +{% endif %} + {% for radius in sec_wpa_radius -%} +# RADIUS authentication server auth_server_addr={{ radius.server }} auth_server_port={{ radius.port }} -auth_server_shared_secret={{ radius.secret }} -{% if radius.accounting -%} +auth_server_shared_secret={{ radius.key }} +{% if radius.acc_port -%} +# RADIUS accounting server acct_server_addr={{ radius.server }} acct_server_port={{ radius.acc_port }} -acct_server_shared_secret={{ radius.secret }} +acct_server_shared_secret={{ radius.key }} {% endif %} {% endfor %} @@ -1156,29 +1166,32 @@ def get_config(): if conf.exists('security wpa passphrase'): wifi['sec_wpa_passphrase'] = conf.return_value('security wpa passphrase') - # WPA radius server goes here - for server in conf.list_nodes('security wpa radius-server'): - # set new configuration level - conf.set_level(cfg_base + ' security wpa radius-server ' + server) + # WPA RADIUS source address + if conf.exists('security wpa radius source-address'): + wifi['sec_wpa_radius_source'] = conf.return_value('security wpa radius source-address') + # WPA RADIUS server + for server in conf.list_nodes('security wpa radius server'): + # set new configuration level + conf.set_level(cfg_base + ' security wpa radius server ' + server) radius = { 'server' : server, 'acc_port' : '', 'port' : 1812, - 'secret' : '' + 'key' : '' } - # receive RADIUS accounting info - if conf.exists('accounting'): - radius['acc_port'] = conf.return_value('accounting') - # RADIUS server port if conf.exists('port'): - radius['port'] = conf.return_value('port') + radius['port'] = int(conf.return_value('port')) + + # receive RADIUS accounting info + if conf.exists('accounting'): + radius['acc_port'] = radius['port'] + 1 # RADIUS server shared-secret - if conf.exists('secret'): - radius['secret'] = conf.return_value('secret') + if conf.exists('key'): + radius['key'] = conf.return_value('key') # append RADIUS server to list of servers wifi['sec_wpa_radius'].append(radius) diff --git a/src/migration-scripts/interfaces/3-to-4 b/src/migration-scripts/interfaces/3-to-4 index 8b9bf7f96..e3bd25a68 100755 --- a/src/migration-scripts/interfaces/3-to-4 +++ b/src/migration-scripts/interfaces/3-to-4 @@ -53,9 +53,42 @@ else: # not supported in the new backend. Convert all to lower-case config.set(base + [wifi, node.lower()]) + # Remove debug node if config.exists(base + [wifi, 'debug']): config.delete(base + [wifi, 'debug']) + # RADIUS servers + if config.exists(base + [wifi, 'security', 'wpa', 'radius-server']): + for server in config.list_nodes(base + [wifi, 'security', 'wpa', 'radius-server']): + base_server = base + [wifi, 'security', 'wpa', 'radius-server', server] + + # Migrate RADIUS shared secret + if config.exists(base_server + ['secret']): + key = config.return_value(base_server + ['secret']) + # write new configuration node + config.set(base + [wifi, 'security', 'wpa', 'radius', 'server', server, 'key'], value=key) + # format as tag node + config.set_tag(base + [wifi, 'security', 'wpa', 'radius', 'server']) + + # Migrate RADIUS port + if config.exists(base_server + ['port']): + port = config.return_value(base_server + ['port']) + # write new configuration node + config.set(base + [wifi, 'security', 'wpa', 'radius', 'server', server, 'port'], value=port) + # format as tag node + config.set_tag(base + [wifi, 'security', 'wpa', 'radius', 'server']) + + # Migrate RADIUS accounting + if config.exists(base_server + ['accounting']): + port = config.return_value(base_server + ['accounting']) + # write new configuration node + config.set(base + [wifi, 'security', 'wpa', 'radius', 'server', server, 'accounting']) + # format as tag node + config.set_tag(base + [wifi, 'security', 'wpa', 'radius', 'server']) + + # delete old radius-server nodes + config.delete(base + [wifi, 'security', 'wpa', 'radius-server']) + try: with open(file_name, 'w') as f: f.write(config.to_string()) |