diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 37fad26ac..eb5d6e502 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -911,20 +911,6 @@ EOD;
if ($a_client['user_source'] != "none" && $disable_xauth == false) {
$strongswan .= "\t\txauth-generic {\n";
$strongswan .= "\t\t\tscript = /usr/local/etc/inc/plugins.inc.d/ipsec/auth-user.php\n";
- $strongswan .= "\t\t\tauthcfg = ";
- $firstsed = 0;
- $authcfgs = explode(",", $a_client['user_source']);
- foreach ($authcfgs as $authcfg) {
- if ($firstsed > 0) {
- $strongswan .= ",";
- }
- if ($authcfg == "system") {
- $authcfg = "Local Database";
- }
- $strongswan .= $authcfg;
- $firstsed = 1;
- }
- $strongswan .= "\n";
$strongswan .= "\t\t}\n";
}
}
diff --git a/src/etc/inc/plugins.inc.d/ipsec/auth-user.php b/src/etc/inc/plugins.inc.d/ipsec/auth-user.php
index c3d2cb6ff..751ee17ad 100755
--- a/src/etc/inc/plugins.inc.d/ipsec/auth-user.php
+++ b/src/etc/inc/plugins.inc.d/ipsec/auth-user.php
@@ -45,28 +45,52 @@ openlog("charon", LOG_ODELAY, LOG_AUTH);
/* read data from environment */
$username = getenv("username");
$password = getenv("password");
-$authmodes = explode(",", getenv("authcfg"));
if (!$username || !$password) {
- syslog(LOG_ERR, "invalid user authentication environment");
+ syslog(LOG_ERR, "Invalid user authentication environment.");
+ closelog();
+ exit(-1);
+}
+
+if (empty($config['ipsec']['client']['enable'])) {
+ syslog(LOG_ERR, "IPsec mobile extension is disabled.");
closelog();
exit(-1);
}
$authenticated = false;
-foreach ($authmodes as $authmode) {
+$priv_fallback = true;
+
+if (!empty($config['ipsec']['client']['local_group'])) {
+ if (!in_array($config['ipsec']['client']['local_group'], getUserGroups($username))) {
+ syslog(LOG_WARNING, "User '{$username}' requires membership in the local group '{$client['ipsec']['client']['local_group']}'.");
+ closelog();
+ exit(1);
+ }
+
+ $priv_fallback = false;
+}
+
+$user_source = '';
+if (!empty($config['ipsec']['client']['user_source'])) {
+ $user_source = $config['ipsec']['client']['user_source'];
+}
+
+foreach (explode(',', $user_source) as $authmode) {
$authcfg = auth_get_authserver($authmode);
+
+ /* XXX looks funny, like OpenVPN */
if (!$authcfg && $authmode != "local") {
continue;
}
$authenticated = authenticate_user($username, $password, $authcfg);
if ($authenticated == true) {
- if (stristr($authmode, "local")) {
+ if ($priv_fallback && stristr($authmode, "local")) {
$user = getUserEntry($username);
if (!is_array($user) || !userHasPrivilege($user, "user-ipsec-xauth-dialin")) {
$authenticated = false;
- syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPsec since the required privileges are missing.\n");
+ syslog(LOG_WARNING, "User '{$username}' cannot authenticate through IPsec since the required privileges are missing.\n");
continue;
}
}
@@ -74,11 +98,11 @@ foreach ($authmodes as $authmode) {
}
}
-if ($authenticated == false) {
- syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
+if (!$authenticated) {
+ syslog(LOG_WARNING, "User '{$username}' could not authenticate.\n");
exit(-1);
-} else {
- syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
- closelog();
- exit(0);
}
+
+syslog(LOG_NOTICE, "User '{$username}' authenticated\n");
+closelog();
+exit(0);
diff --git a/src/www/vpn_ipsec_mobile.php b/src/www/vpn_ipsec_mobile.php
index 4e66f3c4e..844e1d198 100644
--- a/src/www/vpn_ipsec_mobile.php
+++ b/src/www/vpn_ipsec_mobile.php
@@ -37,7 +37,7 @@ config_read_array('ipsec', 'client');
config_read_array('ipsec', 'phase1');
// define formfields
-$form_fields = "user_source,group_source,pool_address,pool_netbits,net_list
+$form_fields = "user_source,local_group,pool_address,pool_netbits,net_list
,save_passwd,dns_domain,dns_split,dns_server1,dns_server2,dns_server3
,dns_server4,wins_server1,wins_server2,pfs_group,login_banner";
@@ -93,8 +93,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
}
/* input validation */
- $reqdfields = explode(" ", "user_source group_source");
- $reqdfieldsn = array(gettext("User Authentication Source"),gettext("Group Authentication Source"));
+ $reqdfields = explode(" ", "user_source");
+ $reqdfieldsn = array(gettext("User Authentication Source"));
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if (!empty($pconfig['pool_address']) && !is_ipaddr($pconfig['pool_address'])) {
@@ -137,7 +137,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if (count($input_errors) == 0) {
$client = array();
- $copy_fields = "user_source,group_source,pool_address,pool_netbits,dns_domain,dns_server1
+ $copy_fields = "user_source,local_group,pool_address,pool_netbits,dns_domain,dns_server1
,dns_server2,dns_server3,dns_server4,wins_server1,wins_server2
,dns_split,pfs_group,login_banner";
foreach (explode(",", $copy_fields) as $fieldname) {
@@ -384,13 +384,21 @@ foreach ($auth_servers as $auth_key => $auth_server) : ?>
- | |
+ |
- |
diff --git a/src/www/vpn_openvpn_server.php b/src/www/vpn_openvpn_server.php
index 8a271014d..1583f3be7 100644
--- a/src/www/vpn_openvpn_server.php
+++ b/src/www/vpn_openvpn_server.php
@@ -673,7 +673,7 @@ $( document ).ready(function() {
endforeach; ?>
-