login: radius: T2071: support disabling individual server

1 files changed, 20 insertions, 4 deletions

diff --git a/src/conf_mode/system-login-radius.py b/src/conf_mode/system-login-radius.py
index caa7f6b80..b1e7dce4e 100755
--- a/src/conf_mode/system-login-radius.py
+++ b/src/conf_mode/system-login-radius.py
@@ -29,11 +29,13 @@ radius_config_file = "/etc/pam_radius_auth.conf"
 radius_config_tmpl = """
 # Automatically generated by VyOS
 # RADIUS configuration file
+{%- if server %}
 # server[:port]         shared_secret                           timeout (s)     source_ip
-{% if server -%}
-{% for s in server -%}
+{% for s in server %}
+{%- if not s.disabled -%}
 {{ s.address }}:{{ s.port }} {{ s.key }} {{ s.timeout }} {% if source_address -%}{{ source_address }}{% endif %}
-{% endfor -%}
+{% endif %}
+{%- endfor %}
 
 priv-lvl 15
 mapped_priv_user radius_priv_user
@@ -75,12 +77,17 @@ def get_config():
     for server in conf.list_nodes(['server']):
         server_cfg = {
             'address': server,
+            'disabled': False,
             'key': '',
             'port': '1812',
             'timeout': '2'
         }
         conf.set_level(base_level + ['server', server])
 
+        # Check if RADIUS server was temporary disabled
+        if conf.exists(['disable']):
+            server_cfg['disabled'] = True
+
         # RADIUS shared secret
         if conf.exists(['key']):
             server_cfg['key'] = conf.return_value(['key'])
@@ -99,7 +106,16 @@ def get_config():
     return radius
 
 def verify(radius):
-    pass
+    # At lease one RADIUS server must not be disabled
+    if len(radius['server']) > 0:
+        fail = True
+        for server in radius['server']:
+            if not server['disabled']:
+                fail = False
+        if fail:
+            raise ConfigError('At least one RADIUS server must be active.')
+
+    return None
 
 def generate(radius):
     if len(radius['server']) > 0: