mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-13 08:09:41 +00:00
VPN: IPsec: Mobile Clients - add radius server selection for "Connections" when radius is not defined in legacy phase1's. closes https://github.com/opnsense/core/issues/6602
This commit is contained in:
Ad Schellevis
parent
9cd3ce7f5f
commit
8ca3d47c54
@ -972,6 +972,7 @@ function ipsec_write_strongswan_conf()
|
||||
|
||||
$strongswanTree['charon']['plugins'] = [];
|
||||
|
||||
$radius_auth_servers = null;
|
||||
$disable_xauth = false;
|
||||
if (isset($a_client['enable'])) {
|
||||
$net_list = [];
|
||||
@ -1051,38 +1052,45 @@ function ipsec_write_strongswan_conf()
|
||||
foreach ($a_phase1 as $ph1ent) {
|
||||
if (!isset($ph1ent['disabled']) && isset($ph1ent['mobile'])) {
|
||||
if ($ph1ent['authentication_method'] == "eap-radius") {
|
||||
$disable_xauth = true; // disable Xauth when radius is used.
|
||||
$strongswanTree['charon']['plugins']['eap-radius'] = [];
|
||||
$strongswanTree['charon']['plugins']['eap-radius']['servers'] = [];
|
||||
$radius_server_num = 1;
|
||||
$radius_accounting_enabled = false;
|
||||
foreach (auth_get_authserver_list() as $auth_server) {
|
||||
if (in_array($auth_server['name'], explode(',', $ph1ent['authservers']))) {
|
||||
$server = [
|
||||
'address' => $auth_server['host'],
|
||||
'secret' => '"' . $auth_server['radius_secret'] . '"',
|
||||
'auth_port' => $auth_server['radius_auth_port'],
|
||||
];
|
||||
|
||||
if (!empty($auth_server['radius_acct_port'])) {
|
||||
$server['acct_port'] = $auth_server['radius_acct_port'];
|
||||
}
|
||||
$strongswanTree['charon']['plugins']['eap-radius']['servers']['server' . $radius_server_num] = $server;
|
||||
|
||||
if (!empty($auth_server['radius_acct_port'])) {
|
||||
$radius_accounting_enabled = true;
|
||||
}
|
||||
$radius_server_num += 1;
|
||||
}
|
||||
}
|
||||
if ($radius_accounting_enabled) {
|
||||
$strongswanTree['charon']['plugins']['eap-radius']['accounting'] = 'yes';
|
||||
}
|
||||
$radius_auth_servers = $ph1ent['authservers'];
|
||||
break; // there can only be one mobile phase1, exit loop
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (empty($radius_auth_servers) && !empty($a_client['radius_source'])) {
|
||||
$radius_auth_servers = $a_client['radius_source'];
|
||||
}
|
||||
if ((isset($a_client['enable']) || (new \OPNsense\IPsec\Swanctl())->isEnabled()) && !empty($radius_auth_servers)) {
|
||||
$disable_xauth = true; // disable Xauth when radius is used.
|
||||
$strongswanTree['charon']['plugins']['eap-radius'] = [];
|
||||
$strongswanTree['charon']['plugins']['eap-radius']['servers'] = [];
|
||||
$radius_server_num = 1;
|
||||
$radius_accounting_enabled = false;
|
||||
|
||||
foreach (auth_get_authserver_list() as $auth_server) {
|
||||
if (in_array($auth_server['name'], explode(',', $radius_auth_servers))) {
|
||||
$server = [
|
||||
'address' => $auth_server['host'],
|
||||
'secret' => '"' . $auth_server['radius_secret'] . '"',
|
||||
'auth_port' => $auth_server['radius_auth_port'],
|
||||
];
|
||||
|
||||
if (!empty($auth_server['radius_acct_port'])) {
|
||||
$server['acct_port'] = $auth_server['radius_acct_port'];
|
||||
}
|
||||
$strongswanTree['charon']['plugins']['eap-radius']['servers']['server' . $radius_server_num] = $server;
|
||||
|
||||
if (!empty($auth_server['radius_acct_port'])) {
|
||||
$radius_accounting_enabled = true;
|
||||
}
|
||||
$radius_server_num += 1;
|
||||
}
|
||||
}
|
||||
if ($radius_accounting_enabled) {
|
||||
$strongswanTree['charon']['plugins']['eap-radius']['accounting'] = 'yes';
|
||||
}
|
||||
}
|
||||
if ((isset($a_client['enable']) && !$disable_xauth) || (new \OPNsense\IPsec\Swanctl())->isEnabled()) {
|
||||
$strongswanTree['charon']['plugins']['xauth-pam'] = [
|
||||
'pam_service' => 'ipsec',
|
||||
|
||||
@ -36,7 +36,7 @@ config_read_array('ipsec', 'client');
|
||||
config_read_array('ipsec', 'phase1');
|
||||
|
||||
// define formfields
|
||||
$form_fields = "user_source,local_group,pool_address,pool_netbits,pool_address_v6,pool_netbits_v6,net_list
|
||||
$form_fields = "user_source,local_group,radius_source,pool_address,pool_netbits,pool_address_v6,pool_netbits_v6,net_list
|
||||
,save_passwd,dns_domain,dns_split,dns_server1,dns_server2,dns_server3
|
||||
,dns_server4,wins_server1,wins_server2,pfs_group,login_banner";
|
||||
|
||||
@ -91,6 +91,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
if (!empty($pconfig['user_source'])) {
|
||||
$pconfig['user_source'] = implode(",", $pconfig['user_source']);
|
||||
}
|
||||
if (!empty($pconfig['radius_source'])) {
|
||||
$pconfig['radius_source'] = implode(",", $pconfig['radius_source']);
|
||||
}
|
||||
|
||||
/* input validation */
|
||||
$reqdfields = explode(" ", "user_source");
|
||||
@ -141,11 +144,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
|
||||
if (count($input_errors) == 0) {
|
||||
$client = array();
|
||||
$copy_fields = "user_source,local_group,pool_address,pool_netbits,pool_address_v6,pool_netbits_v6,dns_domain,dns_server1
|
||||
,dns_server2,dns_server3,dns_server4,wins_server1,wins_server2
|
||||
$copy_fields = "user_source,local_group,radius_source,pool_address,pool_netbits,pool_address_v6,
|
||||
pool_netbits_v6,dns_domain,dns_server1,dns_server2,dns_server3,dns_server4,wins_server1,wins_server2
|
||||
,dns_split,pfs_group,login_banner";
|
||||
foreach (explode(",", $copy_fields) as $fieldname) {
|
||||
$fieldname = trim($fieldname);
|
||||
$fieldname = trim($fieldname);
|
||||
if (!empty($pconfig[$fieldname])) {
|
||||
$client[$fieldname] = $pconfig[$fieldname];
|
||||
}
|
||||
@ -324,9 +327,13 @@ if (isset($config['ipsec']['enable']) && is_subsystem_dirty('ipsec')) {
|
||||
print_info_box_apply(gettext("The IPsec tunnel configuration has been changed") . ".<br />" . gettext("You must apply the changes in order for them to take effect."));
|
||||
}
|
||||
$ph1found = false;
|
||||
$legacy_radius_configured = false;
|
||||
foreach ($config['ipsec']['phase1'] as $ph1ent) {
|
||||
if (isset($ph1ent['mobile'])) {
|
||||
$ph1found = true;
|
||||
if (($ph1ent['authentication_method'] ?? '') == 'eap-radius') {
|
||||
$legacy_radius_configured = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -362,10 +369,9 @@ if (isset($input_errors) && count($input_errors) > 0) {
|
||||
<div class="tab-content content-box col-xs-12">
|
||||
<div class="table-responsive">
|
||||
<table class="table table-striped opnsense_standard_table_form">
|
||||
<tr>
|
||||
<tr>
|
||||
<td colspan="2"><b><?=gettext("Extended Authentication (Xauth)"); ?></b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<tr>
|
||||
<td style="width:22%"><i class="fa fa-info-circle text-muted"></i> <?=gettext("Backend for authentication");?> </td>
|
||||
<td style="width:78%">
|
||||
@ -397,6 +403,30 @@ foreach ($auth_servers as $auth_key => $auth_server) : ?>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<?php if (!$legacy_radius_configured):?>
|
||||
<tr>
|
||||
<td colspan="2"><b><?=gettext("Radius (eap-radius)"); ?></b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Backend for authentication");?> </td>
|
||||
<td>
|
||||
<select name="radius_source[]" class="selectpicker" id="user_source" multiple="multiple" size="3">
|
||||
<?php
|
||||
$authmodes = explode(",", $pconfig['radius_source']);
|
||||
foreach (auth_get_authserver_list() as $auth_key => $auth_server):
|
||||
if ($auth_server['type'] == 'radius'):?>
|
||||
<option value="<?=htmlspecialchars($auth_key)?>" <?=in_array($auth_key, $authmodes) ? 'selected="selected"' : ''?>><?=htmlspecialchars($auth_server['name'])?></option>
|
||||
<?php
|
||||
endif;
|
||||
endforeach; ?>
|
||||
</select>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
<?php endif;?>
|
||||
|
||||
|
||||
</table>
|
||||
</div>
|
||||
</section>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user