diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-04-25 14:00:26 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-04-25 14:01:58 +0200 |
commit | 7765d528ce304275350f87c748fa7988ffb4bc26 (patch) | |
tree | 16d23f4d58453d04f7e3d92a372d4bd32796cb3d | |
parent | 35dc9d35c5d97e1c7d4fc0602ad437f1eb373b94 (diff) | |
download | vyos-1x-7765d528ce304275350f87c748fa7988ffb4bc26.tar.gz vyos-1x-7765d528ce304275350f87c748fa7988ffb4bc26.zip |
login: radius: T2304: add VRF support
This allows the radius client to work when a management VRF is in use.
-rw-r--r-- | data/templates/system-login/pam_radius_auth.conf.tmpl | 4 | ||||
-rw-r--r-- | interface-definitions/system-login.xml.in | 1 | ||||
-rwxr-xr-x | src/conf_mode/system-login.py | 11 |
3 files changed, 15 insertions, 1 deletions
diff --git a/data/templates/system-login/pam_radius_auth.conf.tmpl b/data/templates/system-login/pam_radius_auth.conf.tmpl index 6cff67867..ad196fa3d 100644 --- a/data/templates/system-login/pam_radius_auth.conf.tmpl +++ b/data/templates/system-login/pam_radius_auth.conf.tmpl @@ -10,4 +10,8 @@ priv-lvl 15 mapped_priv_user radius_priv_user + +{% if radius_vrf %} +vrf-name {{ radius_vrf }} +{% endif %} {% endif %} diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in index 2499a192c..053b6babd 100644 --- a/interface-definitions/system-login.xml.in +++ b/interface-definitions/system-login.xml.in @@ -130,6 +130,7 @@ </leafNode> </children> </tagNode> + #include <include/interface-vrf.xml.i> </children> </node> </children> diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 91e2b369f..09c5422eb 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -17,6 +17,7 @@ import os from crypt import crypt, METHOD_SHA512 +from netifaces import interfaces from psutil import users from pwd import getpwall, getpwnam from stat import S_IRUSR, S_IWUSR, S_IRWXU, S_IRGRP, S_IXGRP @@ -39,6 +40,7 @@ default_config_data = { 'del_users': [], 'radius_server': [], 'radius_source_address': '', + 'radius_vrf': '' } def get_local_users(): @@ -127,6 +129,10 @@ def get_config(): if conf.exists(['source-address']): login['radius_source_address'] = conf.return_value(['source-address']) + # retrieve VRF instance + if conf.exists(['vrf']): + login['radius_vrf'] = conf.return_value(['vrf']) + # Read in all RADIUS servers and store to list for server in conf.list_nodes(['server']): server_cfg = { @@ -193,6 +199,9 @@ def verify(login): if fail: raise ConfigError('At least one RADIUS server must be active.') + vrf_name = login['radius_vrf'] + if vrf_name and vrf_name not in interfaces(): + raise ConfigError(f'VRF "{vrf_name}" does not exist') return None @@ -217,7 +226,7 @@ def generate(login): # env=env) if len(login['radius_server']) > 0: - render(radius_config_file, 'system-login/pam_radius_auth.conf.tmpl', login) + render(radius_config_file, 'system-login/pam_radius_auth.conf.tmpl', login, trim_blocks=True) uid = getpwnam('root').pw_uid gid = getpwnam('root').pw_gid |