diff options
author | Christian Breunig <christian@breunig.cc> | 2023-01-28 10:10:06 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-01-28 10:10:06 +0100 |
commit | 875bce2e79539b4ec3501fd75317ee2e1858edff (patch) | |
tree | 16ffe63b43b5a699e7816987c210fd12a1ff491b /src/conf_mode/vpn_openconnect.py | |
parent | 248d4eda9304c34aaa9b2a8cd7a2b1c0bbbf91fe (diff) | |
parent | 9321e75d1edbffe10b6194062c6fad7cbf205e3e (diff) | |
download | vyos-1x-875bce2e79539b4ec3501fd75317ee2e1858edff.tar.gz vyos-1x-875bce2e79539b4ec3501fd75317ee2e1858edff.zip |
Merge pull request #1787 from PeppyH/T4958-openconnect-radius-accounting
T4958: ocserv: openconnect: Add RADIUS accounting support
Diffstat (limited to 'src/conf_mode/vpn_openconnect.py')
-rwxr-xr-x | src/conf_mode/vpn_openconnect.py | 39 |
1 files changed, 34 insertions, 5 deletions
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index 57eba17b0..63ffe2a41 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -82,13 +82,26 @@ def T2665_default_dict_cleanup(origin: dict, default_values: dict) -> dict: del origin['authentication']['radius']['server']['port'] if not origin["authentication"]['radius']['server']: raise ConfigError( - 'Openconnect mode radius required at least one radius server') + 'Openconnect authentication mode radius required at least one radius server') default_values_radius_port = \ default_values['authentication']['radius']['server']['port'] for server, params in origin['authentication']['radius'][ 'server'].items(): if 'port' not in params: params['port'] = default_values_radius_port + + if 'mode' in origin["accounting"] and "radius" in \ + origin["accounting"]["mode"]: + del origin['accounting']['radius']['server']['port'] + if not origin["accounting"]['radius']['server']: + raise ConfigError( + 'Openconnect accounting mode radius required at least one radius server') + default_values_radius_port = \ + default_values['accounting']['radius']['server']['port'] + for server, params in origin['accounting']['radius'][ + 'server'].items(): + if 'port' not in params: + params['port'] = default_values_radius_port return origin @@ -121,6 +134,14 @@ def verify(ocserv): not is_listen_port_bind_service(int(port), 'ocserv-main'): raise ConfigError(f'"{proto}" port "{port}" is used by another service') + # Check accounting + if "accounting" in ocserv: + if "mode" in ocserv["accounting"] and "radius" in ocserv["accounting"]["mode"]: + if "authentication" not in ocserv or "mode" not in ocserv["authentication"]: + raise ConfigError('Accounting depends on OpenConnect authentication configuration') + elif "radius" not in ocserv["authentication"]["mode"]: + raise ConfigError('RADIUS accounting must be used with RADIUS authentication') + # Check authentication if "authentication" in ocserv: if "mode" in ocserv["authentication"]: @@ -202,10 +223,18 @@ def generate(ocserv): return None if "radius" in ocserv["authentication"]["mode"]: - # Render radius client configuration - render(radius_cfg, 'ocserv/radius_conf.j2', ocserv["authentication"]["radius"]) - # Render radius servers - render(radius_servers, 'ocserv/radius_servers.j2', ocserv["authentication"]["radius"]) + if dict_search(ocserv, 'accounting.mode.radius'): + # Render radius client configuration + render(radius_cfg, 'ocserv/radius_conf.j2', ocserv) + merged_servers = ocserv["accounting"]["radius"]["server"] | ocserv["authentication"]["radius"]["server"] + # Render radius servers + # Merge the accounting and authentication servers into a single dictionary + render(radius_servers, 'ocserv/radius_servers.j2', {'server': merged_servers}) + else: + # Render radius client configuration + render(radius_cfg, 'ocserv/radius_conf.j2', ocserv) + # Render radius servers + render(radius_servers, 'ocserv/radius_servers.j2', ocserv["authentication"]["radius"]) elif "local" in ocserv["authentication"]["mode"]: # if mode "OTP", generate OTP users file parameters if "otp" in ocserv["authentication"]["mode"]["local"]: |