summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2019-11-18 21:07:07 +0100
committerChristian Poessinger <christian@poessinger.com>2019-11-23 20:44:02 +0100
commitdfa2f0e8ecd8a117bf47b64d7099d613f487d799 (patch)
tree2a4151ea45a833abcc2854f313aed41bb19c38be /src
parente6b269980faaaa2b3529cdb34e8f83c9f3c41b64 (diff)
downloadvyos-1x-dfa2f0e8ecd8a117bf47b64d7099d613f487d799.tar.gz
vyos-1x-dfa2f0e8ecd8a117bf47b64d7099d613f487d799.zip
wireless: T1627: change RADIUS CLI syntax
Adopt RADIUS configuration and harmonize it with the rest of VyOS. Move the following configuration block: security { wpa { cipher CCMP mode wpa2 radius-server 172.16.100.10 { port 1812 secret secretkey } radius-server 172.16.100.11 { port 1812 secret secretkey } } } to the harmonized version of: security { wpa { cipher CCMP mode wpa2 radius { server 172.16.100.10 { port 1812 secret secretkey } server 172.16.100.11 { port 1812 secret secretkey } } } } And add the new "set interfaces wireless wlan0 security wpa radius source-address" CLI command to specify the origin of any RADIUS query on systems having multiple IP addresses.
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/interfaces-wireless.py43
-rwxr-xr-xsrc/migration-scripts/interfaces/3-to-433
2 files changed, 61 insertions, 15 deletions
diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py
index b25205590..3b270a064 100755
--- a/src/conf_mode/interfaces-wireless.py
+++ b/src/conf_mode/interfaces-wireless.py
@@ -633,14 +633,24 @@ ieee8021x=1
# WPA-EAP-SHA256 = WPA2-Enterprise using SHA256
wpa_key_mgmt=WPA-EAP
+{% if sec_wpa_radius_source -%}
+# RADIUS client forced local IP address for the access point
+# Normally the local IP address is determined automatically based on configured
+# IP addresses, but this field can be used to force a specific address to be
+# used, e.g., when the device has multiple IP addresses.
+radius_client_addr={{ sec_wpa_radius_source }}
+{% endif %}
+
{% for radius in sec_wpa_radius -%}
+# RADIUS authentication server
auth_server_addr={{ radius.server }}
auth_server_port={{ radius.port }}
-auth_server_shared_secret={{ radius.secret }}
-{% if radius.accounting -%}
+auth_server_shared_secret={{ radius.key }}
+{% if radius.acc_port -%}
+# RADIUS accounting server
acct_server_addr={{ radius.server }}
acct_server_port={{ radius.acc_port }}
-acct_server_shared_secret={{ radius.secret }}
+acct_server_shared_secret={{ radius.key }}
{% endif %}
{% endfor %}
@@ -1156,29 +1166,32 @@ def get_config():
if conf.exists('security wpa passphrase'):
wifi['sec_wpa_passphrase'] = conf.return_value('security wpa passphrase')
- # WPA radius server goes here
- for server in conf.list_nodes('security wpa radius-server'):
- # set new configuration level
- conf.set_level(cfg_base + ' security wpa radius-server ' + server)
+ # WPA RADIUS source address
+ if conf.exists('security wpa radius source-address'):
+ wifi['sec_wpa_radius_source'] = conf.return_value('security wpa radius source-address')
+ # WPA RADIUS server
+ for server in conf.list_nodes('security wpa radius server'):
+ # set new configuration level
+ conf.set_level(cfg_base + ' security wpa radius server ' + server)
radius = {
'server' : server,
'acc_port' : '',
'port' : 1812,
- 'secret' : ''
+ 'key' : ''
}
- # receive RADIUS accounting info
- if conf.exists('accounting'):
- radius['acc_port'] = conf.return_value('accounting')
-
# RADIUS server port
if conf.exists('port'):
- radius['port'] = conf.return_value('port')
+ radius['port'] = int(conf.return_value('port'))
+
+ # receive RADIUS accounting info
+ if conf.exists('accounting'):
+ radius['acc_port'] = radius['port'] + 1
# RADIUS server shared-secret
- if conf.exists('secret'):
- radius['secret'] = conf.return_value('secret')
+ if conf.exists('key'):
+ radius['key'] = conf.return_value('key')
# append RADIUS server to list of servers
wifi['sec_wpa_radius'].append(radius)
diff --git a/src/migration-scripts/interfaces/3-to-4 b/src/migration-scripts/interfaces/3-to-4
index 8b9bf7f96..e3bd25a68 100755
--- a/src/migration-scripts/interfaces/3-to-4
+++ b/src/migration-scripts/interfaces/3-to-4
@@ -53,9 +53,42 @@ else:
# not supported in the new backend. Convert all to lower-case
config.set(base + [wifi, node.lower()])
+ # Remove debug node
if config.exists(base + [wifi, 'debug']):
config.delete(base + [wifi, 'debug'])
+ # RADIUS servers
+ if config.exists(base + [wifi, 'security', 'wpa', 'radius-server']):
+ for server in config.list_nodes(base + [wifi, 'security', 'wpa', 'radius-server']):
+ base_server = base + [wifi, 'security', 'wpa', 'radius-server', server]
+
+ # Migrate RADIUS shared secret
+ if config.exists(base_server + ['secret']):
+ key = config.return_value(base_server + ['secret'])
+ # write new configuration node
+ config.set(base + [wifi, 'security', 'wpa', 'radius', 'server', server, 'key'], value=key)
+ # format as tag node
+ config.set_tag(base + [wifi, 'security', 'wpa', 'radius', 'server'])
+
+ # Migrate RADIUS port
+ if config.exists(base_server + ['port']):
+ port = config.return_value(base_server + ['port'])
+ # write new configuration node
+ config.set(base + [wifi, 'security', 'wpa', 'radius', 'server', server, 'port'], value=port)
+ # format as tag node
+ config.set_tag(base + [wifi, 'security', 'wpa', 'radius', 'server'])
+
+ # Migrate RADIUS accounting
+ if config.exists(base_server + ['accounting']):
+ port = config.return_value(base_server + ['accounting'])
+ # write new configuration node
+ config.set(base + [wifi, 'security', 'wpa', 'radius', 'server', server, 'accounting'])
+ # format as tag node
+ config.set_tag(base + [wifi, 'security', 'wpa', 'radius', 'server'])
+
+ # delete old radius-server nodes
+ config.delete(base + [wifi, 'security', 'wpa', 'radius-server'])
+
try:
with open(file_name, 'w') as f:
f.write(config.to_string())