diff options
| -rw-r--r-- | docs/configuration/protocols/bfd.rst | 54 | ||||
| -rw-r--r-- | docs/configuration/vpn/openconnect.rst | 45 | 
2 files changed, 99 insertions, 0 deletions
| diff --git a/docs/configuration/protocols/bfd.rst b/docs/configuration/protocols/bfd.rst index faec71bc..260e86fb 100644 --- a/docs/configuration/protocols/bfd.rst +++ b/docs/configuration/protocols/bfd.rst @@ -132,4 +132,58 @@ Operational Commands                             Transmission interval: 300ms                             Echo transmission interval: 0ms +BFD Static Route Monitoring  +=========================== +A monitored static route conditions the installation to the RIB on the BFD  +session running state: when BFD session is up the route is installed to RIB, +but when the BFD session is down it is removed from the RIB. + +Configuration +------------- + +.. cfgcmd::  set protocols static route <subnet> next-hop <address>  +   bfd profile <profile> + +   Configure a static route for <subnet> using gateway <address>  +   and use the gateway address as BFD peer destination address. + +.. cfgcmd::  set protocols static route <subnet> next-hop <address>  +   bfd multi-hop source <address> profile <profile> +    +   Configure a static route for <subnet> using gateway <address>  +   , use source address to indentify the peer when is multi-hop session  +   and the gateway address as BFD peer destination address. + +.. cfgcmd::  set protocols static route6 <subnet> next-hop <address>  +   bfd profile <profile> + +   Configure a static route for <subnet> using gateway <address>  +   and use the gateway address as BFD peer destination address. + +.. cfgcmd::  set protocols static route6 <subnet> next-hop <address>  +   bfd multi-hop source <address> profile <profile> +    +   Configure a static route for <subnet> using gateway <address>  +   , use source address to indentify the peer when is multi-hop session  +   and the gateway address as BFD peer destination address. + +Operational Commands +==================== + +.. opcmd:: show bfd static routes + +   Showing BFD monitored static routes + +   .. code-block:: none + +      Showing BFD monitored static routes: + +        Next hops: +          VRF default IPv4 Unicast: +              10.10.13.3/32 peer 192.168.2.3 (status: installed) +              172.16.10.3/32 peer 192.168.10.1 (status: uninstalled) +       +          VRF default IPv4 Multicast: +       +          VRF default IPv6 Unicast: diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index 1b4d4b4c..8479bcff 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -222,6 +222,51 @@ To display the configured OTP user settings, use the command:    show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri> +Identity Based Configuration +============================ + +OpenConnect supports a subset of it's configuration options to be applied on a +per user/group basis, for configuration purposes we refer to this functionality +as "Identity based config". The following `OpenConnect Server Manual +<https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that% +20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group>`_ +outlines the set of configuration options that are allowed. This can be +leveraged to apply different sets of configs to different users or groups of +users. + +.. code-block:: none + +  sudo mkdir -p /config/auth/ocserv/config-per-user +  sudo touch /config/auth/ocserv/default-user.conf + +  set vpn set vpn openconnect authentication identity-based-config mode user +  set vpn openconnect authentication identity-based-config directory /config/auth/ocserv/config-per-user +  set vpn openconnect authentication identity-based-config default-config /config/auth/ocserv/default-user.conf + +.. warning:: The above directory and default-config must be a child directory +of /config/auth, since files outside this directory are not persisted after an +image upgrade. + +Once you commit the above changes you can create a config file in the +/config/auth/ocserv/config-per-user directory that matches a username of a +user you have created e.g. "tst". Now when logging in with the "tst" user the +config options you set in this file will be loaded. + +Be sure to set a sane default config in the default config file, this will be +loaded in the case that a user is authenticated and no file is found in the +configured directory matching the users username/group. + +.. code-block:: node +  sudo nano /config/auth/ocserv/config-per-user/tst + +The same configuration options apply when Identity based config is configured +in group mode except that group mode can only be used with RADIUS +authentication. + +.. warning:: OpenConnect server matches the filename in a case sensitive +manner, make sure the username/group name you configure matches the +filename exactly. +  Configuring RADIUS accounting  ============================= | 
