diff options
author | goodNETnick <pknet@ya.ru> | 2022-02-07 02:04:28 -0500 |
---|---|---|
committer | goodNETnick <pknet@ya.ru> | 2022-03-16 01:46:26 -0400 |
commit | b776003cf55e1035ac83186e44f72764e52e9e0d (patch) | |
tree | 65ce5c16f46ab2471a3345b289b8cac90edded6a /interface-definitions | |
parent | 0a0d4abc02da89f68d453495ec002d2afecfca7b (diff) | |
download | vyos-1x-b776003cf55e1035ac83186e44f72764e52e9e0d.tar.gz vyos-1x-b776003cf55e1035ac83186e44f72764e52e9e0d.zip |
ocserv: T4231: Added OTP support for Openconnect 2FA
Diffstat (limited to 'interface-definitions')
-rw-r--r-- | interface-definitions/include/auth-local-users.xml.i | 69 | ||||
-rw-r--r-- | interface-definitions/vpn_openconnect.xml.in | 50 |
2 files changed, 103 insertions, 16 deletions
diff --git a/interface-definitions/include/auth-local-users.xml.i b/interface-definitions/include/auth-local-users.xml.i index 8ef09554e..add2fc8e1 100644 --- a/interface-definitions/include/auth-local-users.xml.i +++ b/interface-definitions/include/auth-local-users.xml.i @@ -7,6 +7,10 @@ <tagNode name="username"> <properties> <help>Username used for authentication</help> + <valueHelp> + <format>txt</format> + <description>Username used for authentication</description> + </valueHelp> </properties> <children> #include <include/generic-disable-node.xml.i> @@ -15,6 +19,71 @@ <help>Password used for authentication</help> </properties> </leafNode> + <node name="otp"> + <properties> + <help>2FA OTP authentication parameters</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>Token Key Secret key for the token algorithm (see RFC 4226)</help> + <valueHelp> + <format>txt</format> + <description>OTP key in hex-encoded format</description> + </valueHelp> + <constraint> + <regex>[a-fA-F0-9]{20,10000}</regex> + </constraint> + <constraintErrorMessage>Key name must in hex be alphanumerical only (min. 20 hex characters)</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="otp-length"> + <properties> + <help>Optional. Number of digits in OTP code (default: 6)</help> + <valueHelp> + <format>u32:6-8</format> + <description>Number of digits in OTP code (default: 6)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 6-8"/> + </constraint> + <constraintErrorMessage>Number of digits in OTP code must be between 6 and 8</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="interval"> + <properties> + <help>Optional. Time tokens interval in seconds (for time tokens) (default: 30)</help> + <valueHelp> + <format>u32:5-86400</format> + <description>Time tokens interval in seconds (for time tokens). (default: 30)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 5-86400"/> + </constraint> + <constraintErrorMessage>Time token interval must be between 5 and 86400 seconds</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="token-type"> + <properties> + <help>Optional. Token type (default: hotp-time)</help> + <valueHelp> + <format>hotp-time</format> + <description>time-based OTP algorithm</description> + </valueHelp> + <valueHelp> + <format>hotp-event</format> + <description>event-based OTP algorithm</description> + </valueHelp> + <constraint> + <regex>(hotp-time|hotp-event)</regex> + </constraint> + <completionHelp> + <list>hotp-time hotp-event</list> + </completionHelp> + </properties> + </leafNode> + </children> + </node> </children> </tagNode> </children> diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in index 0db5e79d0..a3862647c 100644 --- a/interface-definitions/vpn_openconnect.xml.in +++ b/interface-definitions/vpn_openconnect.xml.in @@ -13,25 +13,43 @@ <help>Authentication for remote access SSL VPN Server</help> </properties> <children> - <leafNode name="mode"> + <node name="mode"> <properties> <help>Authentication mode used by this server</help> - <valueHelp> - <format>local</format> - <description>Use local username/password configuration</description> - </valueHelp> - <valueHelp> - <format>radius</format> - <description>Use RADIUS server for user autentication</description> - </valueHelp> - <constraint> - <regex>^(local|radius)$</regex> - </constraint> - <completionHelp> - <list>local radius</list> - </completionHelp> </properties> - </leafNode> + <children> + <leafNode name="local"> + <properties> + <help>Use local username/password configuration (OTP supported)</help> + <valueHelp> + <format>password</format> + <description>Password-only local authentication (default)</description> + </valueHelp> + <valueHelp> + <format>otp</format> + <description>OTP-only local authentication</description> + </valueHelp> + <valueHelp> + <format>password-otp</format> + <description>Password (first) + OTP local authentication</description> + </valueHelp> + <constraint> + <regex>^(password|otp|password-otp)$</regex> + </constraint> + <constraintErrorMessage>Invalid authentication mode</constraintErrorMessage> + <completionHelp> + <list>otp password password-otp</list> + </completionHelp> + </properties> + </leafNode> + <leafNode name="radius"> + <properties> + <help>Use RADIUS server for user autentication</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> #include <include/auth-local-users.xml.i> #include <include/radius-server-ipv4.xml.i> <node name="radius"> |