diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-10-31 15:09:58 +0100 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2022-10-31 15:10:39 +0100 |
commit | 22c3dcbb01d731f0dab0ffefa2e5a0be7009baf1 (patch) | |
tree | c7a5308cd7426c357dde5586e9ead79463475c4b /src/conf_mode/vpn_ipsec.py | |
parent | 2291f4c7a967bdc81fb19e89f27fb378b2ecd09b (diff) | |
download | vyos-1x-22c3dcbb01d731f0dab0ffefa2e5a0be7009baf1.tar.gz vyos-1x-22c3dcbb01d731f0dab0ffefa2e5a0be7009baf1.zip |
ipsec: T4787: add support for road-warrior/remote-access RADIUS timeout
This enabled users to also use 2FA/MFA authentication with a radius backend as
there is enough time to enter the second factor.
Diffstat (limited to 'src/conf_mode/vpn_ipsec.py')
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 77a425f8b..cfefcfbe8 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -117,13 +117,26 @@ def get_config(config=None): ipsec['ike_group'][group]['proposal'][proposal] = dict_merge(default_values, ipsec['ike_group'][group]['proposal'][proposal]) - if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']: + # XXX: T2665: we can not safely rely on the defaults() when there are + # tagNodes in place, it is better to blend in the defaults manually. + if dict_search('remote_access.connection', ipsec): default_values = defaults(base + ['remote-access', 'connection']) for rw in ipsec['remote_access']['connection']: ipsec['remote_access']['connection'][rw] = dict_merge(default_values, ipsec['remote_access']['connection'][rw]) - if 'remote_access' in ipsec and 'radius' in ipsec['remote_access'] and 'server' in ipsec['remote_access']['radius']: + # XXX: T2665: we can not safely rely on the defaults() when there are + # tagNodes in place, it is better to blend in the defaults manually. + if dict_search('remote_access.radius.server', ipsec): + # Fist handle the "base" stuff like RADIUS timeout + default_values = defaults(base + ['remote-access', 'radius']) + if 'server' in default_values: + del default_values['server'] + ipsec['remote_access']['radius'] = dict_merge(default_values, + ipsec['remote_access']['radius']) + + # Take care about individual RADIUS servers implemented as tagNodes - this + # requires special treatment default_values = defaults(base + ['remote-access', 'radius', 'server']) for server in ipsec['remote_access']['radius']['server']: ipsec['remote_access']['radius']['server'][server] = dict_merge(default_values, |