From f12e4e4b2f19803a443766131f4350b3eafc12e7 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 31 Jan 2017 21:29:06 +0100 Subject: [PATCH] don't try to enable legacy Xauth and radius at the same time + fix bug with $ph1ent --- src/etc/inc/ipsec.inc | 70 +++++++++++++++++++++++-------------------- 1 file changed, 38 insertions(+), 32 deletions(-) diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc index 9c04660d7..ddf2e2864 100644 --- a/src/etc/inc/ipsec.inc +++ b/src/etc/inc/ipsec.inc @@ -700,7 +700,44 @@ EOD; } $strongswan .= "\t\t}\n"; - if ($a_client['user_source'] != "none") { + $disable_xauth = false; + foreach ($a_phase1 as $ph1ent) { + if (!isset($ph1ent['disabled']) && isset($ph1ent['mobile'])) { + if ($ph1ent['authentication_method'] == "eap-radius") { + $disable_xauth = true; // disable Xauth when radius is used. + $strongswan .= "\t\teap-radius {\n"; + $radius_servers = ""; + $radius_server_num = 1; + $radius_accounting_enabled = false; + foreach (auth_get_authserver_list() as $auth_server) { + if (in_array($auth_server['name'], explode(',', $ph1ent['authservers']))) { + $radius_servers .= "\t\t\t\tserver" . $radius_server_num . " {\n"; + $radius_servers .= "\t\t\t\t\taddress = " . $auth_server['host'] . "\n"; + $radius_servers .= "\t\t\t\t\tsecret = " . $auth_server['radius_secret'] . "\n"; + $radius_servers .= "\t\t\t\t\tauth_port = " . $auth_server['radius_auth_port'] . "\n"; + + if (!empty($auth_server['radius_acct_port'])) { + $radius_servers .= "\t\t\t\t\tacct_port = " . $auth_server['radius_acct_port'] . "\n"; + } + $radius_servers .= "\t\t\t\t}\n"; + if (!empty($auth_server['radius_acct_port'])) { + $radius_accounting_enabled = true; + } + $radius_server_num += 1; + } + } + if ($radius_accounting_enabled) { + $strongswan .= "\t\t\taccounting = yes\n"; + } + $strongswan .= "\t\t\tservers {\n"; + $strongswan .= $radius_servers; + $strongswan .= "\t\t\t}\n"; + $strongswan .= "\t\t}\n"; + break; // there can only be one mobile phase1, exit loop + } + } + } + if ($a_client['user_source'] != "none" && $disable_xauth == false) { $strongswan .= "\t\txauth-generic {\n"; $strongswan .= "\t\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n"; $strongswan .= "\t\t\tauthcfg = "; @@ -719,37 +756,6 @@ EOD; $strongswan .= "\n"; $strongswan .= "\t\t}\n"; } - - if ($ph1ent['authentication_method'] == "eap-radius") { - $strongswan .= "\t\teap-radius {\n"; - $radius_servers = ""; - $radius_server_num = 1; - $radius_accounting_enabled = false; - foreach (auth_get_authserver_list() as $auth_server) { - if (in_array($auth_server['name'], explode(',', $ph1ent['authservers']))) { - $radius_servers .= "\t\t\t\tserver" . $radius_server_num . " {\n"; - $radius_servers .= "\t\t\t\t\taddress = " . $auth_server['host'] . "\n"; - $radius_servers .= "\t\t\t\t\tsecret = " . $auth_server['radius_secret'] . "\n"; - $radius_servers .= "\t\t\t\t\tauth_port = " . $auth_server['radius_auth_port'] . "\n"; - - if (!empty($auth_server['radius_acct_port'])) { - $radius_servers .= "\t\t\t\t\tacct_port = " . $auth_server['radius_acct_port'] . "\n"; - } - $radius_servers .= "\t\t\t\t}\n"; - if (!empty($auth_server['radius_acct_port'])) { - $radius_accounting_enabled = true; - } - $radius_server_num += 1; - } - } - if ($radius_accounting_enabled) { - $strongswan .= "\t\t\taccounting = yes\n"; - } - $strongswan .= "\t\t\tservers {\n"; - $strongswan .= $radius_servers; - $strongswan .= "\t\t\t}\n"; - $strongswan .= "\t\t}\n"; - } } $strongswan .= "\t}\n}\n";