From 8ca3d47c54115462a18c7e5e74a055ee9d671fcf Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Wed, 5 Jul 2023 22:21:12 +0200 Subject: [PATCH] VPN: IPsec: Mobile Clients - add radius server selection for "Connections" when radius is not defined in legacy phase1's. closes https://github.com/opnsense/core/issues/6602 --- src/etc/inc/plugins.inc.d/ipsec.inc | 62 ++++++++++++++++------------- src/www/vpn_ipsec_mobile.php | 42 ++++++++++++++++--- 2 files changed, 71 insertions(+), 33 deletions(-) diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc index 43205a2dc..9f896e1e7 100644 --- a/src/etc/inc/plugins.inc.d/ipsec.inc +++ b/src/etc/inc/plugins.inc.d/ipsec.inc @@ -972,6 +972,7 @@ function ipsec_write_strongswan_conf() $strongswanTree['charon']['plugins'] = []; + $radius_auth_servers = null; $disable_xauth = false; if (isset($a_client['enable'])) { $net_list = []; @@ -1051,38 +1052,45 @@ function ipsec_write_strongswan_conf() foreach ($a_phase1 as $ph1ent) { if (!isset($ph1ent['disabled']) && isset($ph1ent['mobile'])) { if ($ph1ent['authentication_method'] == "eap-radius") { - $disable_xauth = true; // disable Xauth when radius is used. - $strongswanTree['charon']['plugins']['eap-radius'] = []; - $strongswanTree['charon']['plugins']['eap-radius']['servers'] = []; - $radius_server_num = 1; - $radius_accounting_enabled = false; - foreach (auth_get_authserver_list() as $auth_server) { - if (in_array($auth_server['name'], explode(',', $ph1ent['authservers']))) { - $server = [ - 'address' => $auth_server['host'], - 'secret' => '"' . $auth_server['radius_secret'] . '"', - 'auth_port' => $auth_server['radius_auth_port'], - ]; - - if (!empty($auth_server['radius_acct_port'])) { - $server['acct_port'] = $auth_server['radius_acct_port']; - } - $strongswanTree['charon']['plugins']['eap-radius']['servers']['server' . $radius_server_num] = $server; - - if (!empty($auth_server['radius_acct_port'])) { - $radius_accounting_enabled = true; - } - $radius_server_num += 1; - } - } - if ($radius_accounting_enabled) { - $strongswanTree['charon']['plugins']['eap-radius']['accounting'] = 'yes'; - } + $radius_auth_servers = $ph1ent['authservers']; break; // there can only be one mobile phase1, exit loop } } } } + if (empty($radius_auth_servers) && !empty($a_client['radius_source'])) { + $radius_auth_servers = $a_client['radius_source']; + } + if ((isset($a_client['enable']) || (new \OPNsense\IPsec\Swanctl())->isEnabled()) && !empty($radius_auth_servers)) { + $disable_xauth = true; // disable Xauth when radius is used. + $strongswanTree['charon']['plugins']['eap-radius'] = []; + $strongswanTree['charon']['plugins']['eap-radius']['servers'] = []; + $radius_server_num = 1; + $radius_accounting_enabled = false; + + foreach (auth_get_authserver_list() as $auth_server) { + if (in_array($auth_server['name'], explode(',', $radius_auth_servers))) { + $server = [ + 'address' => $auth_server['host'], + 'secret' => '"' . $auth_server['radius_secret'] . '"', + 'auth_port' => $auth_server['radius_auth_port'], + ]; + + if (!empty($auth_server['radius_acct_port'])) { + $server['acct_port'] = $auth_server['radius_acct_port']; + } + $strongswanTree['charon']['plugins']['eap-radius']['servers']['server' . $radius_server_num] = $server; + + if (!empty($auth_server['radius_acct_port'])) { + $radius_accounting_enabled = true; + } + $radius_server_num += 1; + } + } + if ($radius_accounting_enabled) { + $strongswanTree['charon']['plugins']['eap-radius']['accounting'] = 'yes'; + } + } if ((isset($a_client['enable']) && !$disable_xauth) || (new \OPNsense\IPsec\Swanctl())->isEnabled()) { $strongswanTree['charon']['plugins']['xauth-pam'] = [ 'pam_service' => 'ipsec', diff --git a/src/www/vpn_ipsec_mobile.php b/src/www/vpn_ipsec_mobile.php index 49125516f..268806a35 100644 --- a/src/www/vpn_ipsec_mobile.php +++ b/src/www/vpn_ipsec_mobile.php @@ -36,7 +36,7 @@ config_read_array('ipsec', 'client'); config_read_array('ipsec', 'phase1'); // define formfields -$form_fields = "user_source,local_group,pool_address,pool_netbits,pool_address_v6,pool_netbits_v6,net_list +$form_fields = "user_source,local_group,radius_source,pool_address,pool_netbits,pool_address_v6,pool_netbits_v6,net_list ,save_passwd,dns_domain,dns_split,dns_server1,dns_server2,dns_server3 ,dns_server4,wins_server1,wins_server2,pfs_group,login_banner"; @@ -91,6 +91,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { if (!empty($pconfig['user_source'])) { $pconfig['user_source'] = implode(",", $pconfig['user_source']); } + if (!empty($pconfig['radius_source'])) { + $pconfig['radius_source'] = implode(",", $pconfig['radius_source']); + } /* input validation */ $reqdfields = explode(" ", "user_source"); @@ -141,11 +144,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { if (count($input_errors) == 0) { $client = array(); - $copy_fields = "user_source,local_group,pool_address,pool_netbits,pool_address_v6,pool_netbits_v6,dns_domain,dns_server1 - ,dns_server2,dns_server3,dns_server4,wins_server1,wins_server2 + $copy_fields = "user_source,local_group,radius_source,pool_address,pool_netbits,pool_address_v6, + pool_netbits_v6,dns_domain,dns_server1,dns_server2,dns_server3,dns_server4,wins_server1,wins_server2 ,dns_split,pfs_group,login_banner"; foreach (explode(",", $copy_fields) as $fieldname) { - $fieldname = trim($fieldname); + $fieldname = trim($fieldname); if (!empty($pconfig[$fieldname])) { $client[$fieldname] = $pconfig[$fieldname]; } @@ -324,9 +327,13 @@ if (isset($config['ipsec']['enable']) && is_subsystem_dirty('ipsec')) { print_info_box_apply(gettext("The IPsec tunnel configuration has been changed") . ".
" . gettext("You must apply the changes in order for them to take effect.")); } $ph1found = false; +$legacy_radius_configured = false; foreach ($config['ipsec']['phase1'] as $ph1ent) { if (isset($ph1ent['mobile'])) { $ph1found = true; + if (($ph1ent['authentication_method'] ?? '') == 'eap-radius') { + $legacy_radius_configured = true; + } } } @@ -362,10 +369,9 @@ if (isset($input_errors) && count($input_errors) > 0) {
- + - + + + + + + + + + + + + +
@@ -397,6 +403,30 @@ foreach ($auth_servers as $auth_key => $auth_server) : ?>
+ +