diff options
| -rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 4 | ||||
| -rw-r--r-- | interface-definitions/vpn-openconnect.xml.in | 20 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_openconnect.py | 19 |
3 files changed, 34 insertions, 9 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index e0cad5181..1cbb52ccf 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -7,7 +7,11 @@ run-as-user = nobody run-as-group = daemon {% if "radius" in authentication.mode %} +{% if "yes" in authentication.radius.groupconfig %} +auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]" +{% else %} auth = "radius [config=/run/ocserv/radiusclient.conf]" +{% endif %} {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 6309863c5..3ab8dd815 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -144,6 +144,26 @@ </properties> <defaultValue>2</defaultValue> </leafNode> + <leafNode name="groupconfig"> + <properties> + <help>If the groupconfig option is set to yes, then config-per-user will be overriden, and all configuration will be read from radius.</help> + <completionHelp> + <list>yes no</list> + </completionHelp> + <valueHelp> + <format>yes</format> + <description>Enable RADIUS acquisition of group properties</description> + </valueHelp> + <valueHelp> + <format>no</format> + <description>Disable RADIUS acquisition of group properties</description> + </valueHelp> + <constraint> + <regex>(yes|no)</regex> + </constraint> + </properties> + <defaultValue>no</defaultValue> + </leafNode> </children> </node> </children> diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index a3e774678..4e2a3f58b 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -57,15 +57,16 @@ def get_config(): default_values = defaults(base) ocserv = dict_merge(default_values, ocserv) - # workaround a "know limitation" - https://phabricator.vyos.net/T2665 - del ocserv['authentication']['local_users']['username']['otp'] - if not ocserv["authentication"]["local_users"]["username"]: - raise ConfigError('openconnect mode local required at least one user') - default_ocserv_usr_values = default_values['authentication']['local_users']['username']['otp'] - for user, params in ocserv['authentication']['local_users']['username'].items(): - # Not every configuration requires OTP settings - if ocserv['authentication']['local_users']['username'][user].get('otp'): - ocserv['authentication']['local_users']['username'][user]['otp'] = dict_merge(default_ocserv_usr_values, ocserv['authentication']['local_users']['username'][user]['otp']) + if "local" in ocserv["authentication"]["mode"]: + # workaround a "know limitation" - https://phabricator.vyos.net/T2665 + del ocserv['authentication']['local_users']['username']['otp'] + if not ocserv["authentication"]["local_users"]["username"]: + raise ConfigError('openconnect mode local required at least one user') + default_ocserv_usr_values = default_values['authentication']['local_users']['username']['otp'] + for user, params in ocserv['authentication']['local_users']['username'].items(): + # Not every configuration requires OTP settings + if ocserv['authentication']['local_users']['username'][user].get('otp'): + ocserv['authentication']['local_users']['username'][user]['otp'] = dict_merge(default_ocserv_usr_values, ocserv['authentication']['local_users']['username'][user]['otp']) if ocserv: ocserv['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), |