summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-04-25 14:00:26 +0200
committerChristian Poessinger <christian@poessinger.com>2020-04-25 14:01:58 +0200
commit7765d528ce304275350f87c748fa7988ffb4bc26 (patch)
tree16d23f4d58453d04f7e3d92a372d4bd32796cb3d
parent35dc9d35c5d97e1c7d4fc0602ad437f1eb373b94 (diff)
downloadvyos-1x-7765d528ce304275350f87c748fa7988ffb4bc26.tar.gz
vyos-1x-7765d528ce304275350f87c748fa7988ffb4bc26.zip
login: radius: T2304: add VRF support
This allows the radius client to work when a management VRF is in use.
-rw-r--r--data/templates/system-login/pam_radius_auth.conf.tmpl4
-rw-r--r--interface-definitions/system-login.xml.in1
-rwxr-xr-xsrc/conf_mode/system-login.py11
3 files changed, 15 insertions, 1 deletions
diff --git a/data/templates/system-login/pam_radius_auth.conf.tmpl b/data/templates/system-login/pam_radius_auth.conf.tmpl
index 6cff67867..ad196fa3d 100644
--- a/data/templates/system-login/pam_radius_auth.conf.tmpl
+++ b/data/templates/system-login/pam_radius_auth.conf.tmpl
@@ -10,4 +10,8 @@
priv-lvl 15
mapped_priv_user radius_priv_user
+
+{% if radius_vrf %}
+vrf-name {{ radius_vrf }}
+{% endif %}
{% endif %}
diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in
index 2499a192c..053b6babd 100644
--- a/interface-definitions/system-login.xml.in
+++ b/interface-definitions/system-login.xml.in
@@ -130,6 +130,7 @@
</leafNode>
</children>
</tagNode>
+ #include <include/interface-vrf.xml.i>
</children>
</node>
</children>
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 91e2b369f..09c5422eb 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -17,6 +17,7 @@
import os
from crypt import crypt, METHOD_SHA512
+from netifaces import interfaces
from psutil import users
from pwd import getpwall, getpwnam
from stat import S_IRUSR, S_IWUSR, S_IRWXU, S_IRGRP, S_IXGRP
@@ -39,6 +40,7 @@ default_config_data = {
'del_users': [],
'radius_server': [],
'radius_source_address': '',
+ 'radius_vrf': ''
}
def get_local_users():
@@ -127,6 +129,10 @@ def get_config():
if conf.exists(['source-address']):
login['radius_source_address'] = conf.return_value(['source-address'])
+ # retrieve VRF instance
+ if conf.exists(['vrf']):
+ login['radius_vrf'] = conf.return_value(['vrf'])
+
# Read in all RADIUS servers and store to list
for server in conf.list_nodes(['server']):
server_cfg = {
@@ -193,6 +199,9 @@ def verify(login):
if fail:
raise ConfigError('At least one RADIUS server must be active.')
+ vrf_name = login['radius_vrf']
+ if vrf_name and vrf_name not in interfaces():
+ raise ConfigError(f'VRF "{vrf_name}" does not exist')
return None
@@ -217,7 +226,7 @@ def generate(login):
# env=env)
if len(login['radius_server']) > 0:
- render(radius_config_file, 'system-login/pam_radius_auth.conf.tmpl', login)
+ render(radius_config_file, 'system-login/pam_radius_auth.conf.tmpl', login, trim_blocks=True)
uid = getpwnam('root').pw_uid
gid = getpwnam('root').pw_gid