summaryrefslogtreecommitdiff
path: root/interface-definitions
diff options
context:
space:
mode:
authorgoodNETnick <pknet@ya.ru>2022-02-07 02:04:28 -0500
committergoodNETnick <pknet@ya.ru>2022-03-16 01:46:26 -0400
commitb776003cf55e1035ac83186e44f72764e52e9e0d (patch)
tree65ce5c16f46ab2471a3345b289b8cac90edded6a /interface-definitions
parent0a0d4abc02da89f68d453495ec002d2afecfca7b (diff)
downloadvyos-1x-b776003cf55e1035ac83186e44f72764e52e9e0d.tar.gz
vyos-1x-b776003cf55e1035ac83186e44f72764e52e9e0d.zip
ocserv: T4231: Added OTP support for Openconnect 2FA
Diffstat (limited to 'interface-definitions')
-rw-r--r--interface-definitions/include/auth-local-users.xml.i69
-rw-r--r--interface-definitions/vpn_openconnect.xml.in50
2 files changed, 103 insertions, 16 deletions
diff --git a/interface-definitions/include/auth-local-users.xml.i b/interface-definitions/include/auth-local-users.xml.i
index 8ef09554e..add2fc8e1 100644
--- a/interface-definitions/include/auth-local-users.xml.i
+++ b/interface-definitions/include/auth-local-users.xml.i
@@ -7,6 +7,10 @@
<tagNode name="username">
<properties>
<help>Username used for authentication</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Username used for authentication</description>
+ </valueHelp>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
@@ -15,6 +19,71 @@
<help>Password used for authentication</help>
</properties>
</leafNode>
+ <node name="otp">
+ <properties>
+ <help>2FA OTP authentication parameters</help>
+ </properties>
+ <children>
+ <leafNode name="key">
+ <properties>
+ <help>Token Key Secret key for the token algorithm (see RFC 4226)</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>OTP key in hex-encoded format</description>
+ </valueHelp>
+ <constraint>
+ <regex>[a-fA-F0-9]{20,10000}</regex>
+ </constraint>
+ <constraintErrorMessage>Key name must in hex be alphanumerical only (min. 20 hex characters)</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ <leafNode name="otp-length">
+ <properties>
+ <help>Optional. Number of digits in OTP code (default: 6)</help>
+ <valueHelp>
+ <format>u32:6-8</format>
+ <description>Number of digits in OTP code (default: 6)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 6-8"/>
+ </constraint>
+ <constraintErrorMessage>Number of digits in OTP code must be between 6 and 8</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ <leafNode name="interval">
+ <properties>
+ <help>Optional. Time tokens interval in seconds (for time tokens) (default: 30)</help>
+ <valueHelp>
+ <format>u32:5-86400</format>
+ <description>Time tokens interval in seconds (for time tokens). (default: 30)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 5-86400"/>
+ </constraint>
+ <constraintErrorMessage>Time token interval must be between 5 and 86400 seconds</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ <leafNode name="token-type">
+ <properties>
+ <help>Optional. Token type (default: hotp-time)</help>
+ <valueHelp>
+ <format>hotp-time</format>
+ <description>time-based OTP algorithm</description>
+ </valueHelp>
+ <valueHelp>
+ <format>hotp-event</format>
+ <description>event-based OTP algorithm</description>
+ </valueHelp>
+ <constraint>
+ <regex>(hotp-time|hotp-event)</regex>
+ </constraint>
+ <completionHelp>
+ <list>hotp-time hotp-event</list>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
</children>
</tagNode>
</children>
diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in
index 0db5e79d0..a3862647c 100644
--- a/interface-definitions/vpn_openconnect.xml.in
+++ b/interface-definitions/vpn_openconnect.xml.in
@@ -13,25 +13,43 @@
<help>Authentication for remote access SSL VPN Server</help>
</properties>
<children>
- <leafNode name="mode">
+ <node name="mode">
<properties>
<help>Authentication mode used by this server</help>
- <valueHelp>
- <format>local</format>
- <description>Use local username/password configuration</description>
- </valueHelp>
- <valueHelp>
- <format>radius</format>
- <description>Use RADIUS server for user autentication</description>
- </valueHelp>
- <constraint>
- <regex>^(local|radius)$</regex>
- </constraint>
- <completionHelp>
- <list>local radius</list>
- </completionHelp>
</properties>
- </leafNode>
+ <children>
+ <leafNode name="local">
+ <properties>
+ <help>Use local username/password configuration (OTP supported)</help>
+ <valueHelp>
+ <format>password</format>
+ <description>Password-only local authentication (default)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>otp</format>
+ <description>OTP-only local authentication</description>
+ </valueHelp>
+ <valueHelp>
+ <format>password-otp</format>
+ <description>Password (first) + OTP local authentication</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(password|otp|password-otp)$</regex>
+ </constraint>
+ <constraintErrorMessage>Invalid authentication mode</constraintErrorMessage>
+ <completionHelp>
+ <list>otp password password-otp</list>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="radius">
+ <properties>
+ <help>Use RADIUS server for user autentication</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
#include <include/auth-local-users.xml.i>
#include <include/radius-server-ipv4.xml.i>
<node name="radius">