diff options
| author | Jamie Austin <jamiea@opusv.com.au> | 2023-01-27 17:32:29 +1100 |
|---|---|---|
| committer | Jamie Austin <jamieaustinprogramming@gmail.com> | 2023-01-28 15:11:07 +1100 |
| commit | e61f7abdb2136d8dfbf73729dbc14c3b5ab2ecba (patch) | |
| tree | f045fe1092ecbb3d5d8366dfb647e15de8572d59 /data | |
| parent | e6023a3c710a84c12f9ce51d41af21120bb44e5a (diff) | |
| download | vyos-1x-e61f7abdb2136d8dfbf73729dbc14c3b5ab2ecba.tar.gz vyos-1x-e61f7abdb2136d8dfbf73729dbc14c3b5ab2ecba.zip | |
T4958: ocserv: openconnect: adds support for configuring RADIUS accounting
Adds CLI configuration options to configure RADIUS accounting for OpenConnect VPN sessions. This functionality cannot be used outside of the RADIUS OpenConnect VPN authentication mode
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 4 | ||||
| -rw-r--r-- | data/templates/ocserv/radius_conf.j2 | 42 |
2 files changed, 34 insertions, 12 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 3194354e6..aa8897703 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -10,6 +10,10 @@ udp-port = {{ listen_ports.udp }} run-as-user = nobody run-as-group = daemon +{% if "radius" in accounting.mode %} +acct = "radius [config=/run/ocserv/radiusclient.conf]" +{% endif %} + {% if "radius" in authentication.mode %} auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" {% elif "local" in authentication.mode %} diff --git a/data/templates/ocserv/radius_conf.j2 b/data/templates/ocserv/radius_conf.j2 index b6612fee5..65548e3ad 100644 --- a/data/templates/ocserv/radius_conf.j2 +++ b/data/templates/ocserv/radius_conf.j2 @@ -1,20 +1,38 @@ ### generated by vpn_openconnect.py ### nas-identifier VyOS -{% for srv in server %} -{% if not "disable" in server[srv] %} -{% if "port" in server[srv] %} -authserver {{ srv }}:{{ server[srv]["port"] }} -{% else %} -authserver {{ srv }} + +#### Accounting +{% if "radius" in accounting['mode'] %} +{% for acctsrv in accounting['radius']['server'] %} +{% if not "disable" in accounting['radius']['server'][acctsrv] %} +{% if "port" in accounting['radius']['server'][acctsrv] %} +acctserver {{ acctsrv }}:{{ accounting['radius']['server'][acctsrv]['port'] }} +{% else %} +acctserver {{ acctsrv }} +{% endif %} {% endif %} -{% endif %} -{% endfor %} -radius_timeout {{ timeout }} -{% if source_address %} -bindaddr {{ source_address }} -{% else %} +{% endfor %} +{% endif %} + +#### Authentication +{% if "radius" in authentication['mode'] %} +{% for authsrv in authentication['radius']['server'] %} +{% if not "disable" in authentication['radius']['server'][authsrv] %} +{% if "port" in authentication['radius']['server'][authsrv] %} +authserver {{ authsrv }}:{{ authentication['radius']['server'][authsrv]['port'] }} +{% else %} +authserver {{ authsrv }} +{% endif %} +{% endif %} +{% endfor %} +radius_timeout {{ authentication['radius']['timeout'] }} +{% if source_address %} +bindaddr {{ authentication['radius']['source_address'] }} +{% else %} bindaddr * +{% endif %} {% endif %} + servers /run/ocserv/radius_servers dictionary /etc/radcli/dictionary default_realm |