Skip to content

O
OpnSense
Commit 661f6afd authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

Merge branch 'eap-radius/2-try' of https://github.com/GurliGebis/opnsense_core... 

Merge branch 'eap-radius/2-try' of https://github.com/GurliGebis/opnsense_core into GurliGebis-eap-radius/2-try
parents 60b48f01 01ef1930
Show whitespace changes
Inline Side-by-side
Showing with 86 additions and 19 deletions
src/etc/inc/ipsec.inc
View file @ 661f6afd
...@@ -64,6 +64,7 @@ $p1_authentication_methods = array( ...@@ -64,6 +64,7 @@ $p1_authentication_methods = array(
'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ), 'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true), 'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
'eap-mschapv2' => array( 'name' => 'EAP-MSCHAPV2', 'mobile' => true), 'eap-mschapv2' => array( 'name' => 'EAP-MSCHAPV2', 'mobile' => true),
'eap-radius' => array( 'name' => 'EAP-RADIUS', 'mobile' => true),
'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ), 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ),
); );
...@@ -498,6 +499,10 @@ function ipsec_configure($verbose = false) ...@@ -498,6 +499,10 @@ function ipsec_configure($verbose = false)
$rgmap = array(); $rgmap = array();
$filterdns_list = array(); $filterdns_list = array();
$ipsecpinghosts = ""; $ipsecpinghosts = "";
$radius_enabled = false;
$radius_accounting_enabled = false;
/* step through each phase1 entry */ /* step through each phase1 entry */
foreach ($a_phase1 as $ph1ent) { foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) { if (isset($ph1ent['disabled'])) {
...@@ -509,6 +514,21 @@ function ipsec_configure($verbose = false) ...@@ -509,6 +514,21 @@ function ipsec_configure($verbose = false)
} }
$ep = ipsec_get_phase1_src($ph1ent); $ep = ipsec_get_phase1_src($ph1ent);
/* only run once */
if ($ph1ent['authentication_method'] == "eap-radius" && $radius_enabled == false) {
$radius_enabled = true;
foreach (auth_get_authserver_list() as $auth_server) {
if ($auth_server['type'] == "radius") {
$radius_servers[] = $auth_server;
if (!empty($auth_server['radius_acct_port'])) {
$radius_accounting_enabled = true;
}
}
}
}
/* see if this tunnel has a hostname for the remote-gateway. If so, /* see if this tunnel has a hostname for the remote-gateway. If so,
try to resolve it now and add it to the list for filterdns */ try to resolve it now and add it to the list for filterdns */
...@@ -626,7 +646,7 @@ EOD; ...@@ -626,7 +646,7 @@ EOD;
if (isset($a_client['enable'])) { if (isset($a_client['enable'])) {
$strongswan .= "\t\tattr {\n"; $strongswan .= "\t\tattr {\n";
if ($a_client['pool_address'] && $a_client['pool_netbits']) { if ($a_client['pool_address'] && $a_client['pool_netbits']) {
$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; $strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
} }
$cfgservers = array(); $cfgservers = array();
foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) { foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) {
...@@ -635,7 +655,7 @@ EOD; ...@@ -635,7 +655,7 @@ EOD;
} }
} }
if (!empty($cfgservers)) { if (!empty($cfgservers)) {
$strongswan .= "\t\tdns = " . implode(",", $cfgservers) . "\n"; $strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n";
} }
unset($cfgservers); unset($cfgservers);
$cfgservers = array(); $cfgservers = array();
...@@ -646,7 +666,7 @@ EOD; ...@@ -646,7 +666,7 @@ EOD;
$cfgservers[] = $a_client['wins_server2']; $cfgservers[] = $a_client['wins_server2'];
} }
if (!empty($cfgservers)) { if (!empty($cfgservers)) {
$strongswan .= "\t\tnbns = " . implode(",", $cfgservers) . "\n"; $strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n";
} }
unset($cfgservers); unset($cfgservers);
...@@ -667,41 +687,41 @@ EOD; ...@@ -667,41 +687,41 @@ EOD;
} }
if (!empty($net_list)) { if (!empty($net_list)) {
$strongswan .= "\t\tsplit-include = {$net_list}\n"; $strongswan .= "\t\t\tsplit-include = {$net_list}\n";
unset($net_list); unset($net_list);
} }
} }
if (!empty($a_client['dns_domain'])) { if (!empty($a_client['dns_domain'])) {
$strongswan .= "\t\t# Search domain and default domain\n"; $strongswan .= "\t\t\t# Search domain and default domain\n";
$strongswan .= "\t\t28674 = {$a_client['dns_domain']}\n"; $strongswan .= "\t\t\t28674 = {$a_client['dns_domain']}\n";
if (empty($a_client['dns_split'])) { if (empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_domain']}"; $strongswan .= "\t\t\t28675 = {$a_client['dns_domain']}";
} }
$strongswan .= "\n"; $strongswan .= "\n";
} }
if (!empty($a_client['dns_split'])) { if (!empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_split']}\n"; $strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n";
} }
if (!empty($a_client['login_banner'])) { if (!empty($a_client['login_banner'])) {
$strongswan .= "\t\t28672 = {$a_client['login_banner']}\n"; $strongswan .= "\t\t\t28672 = {$a_client['login_banner']}\n";
} }
if (isset($a_client['save_passwd'])) { if (isset($a_client['save_passwd'])) {
$strongswan .= "\t\t28673 = 1\n"; $strongswan .= "\t\t\t28673 = 1\n";
} }
if (!empty($a_client['pfs_group'])) { if (!empty($a_client['pfs_group'])) {
$strongswan .= "\t\t28679 = {$a_client['pfs_group']}\n"; $strongswan .= "\t\t\t28679 = {$a_client['pfs_group']}\n";
} }
$strongswan .= "\t\t}\n"; $strongswan .= "\t\t}\n";
if ($a_client['user_source'] != "none") { if ($a_client['user_source'] != "none") {
$strongswan .= "\txauth-generic {\n"; $strongswan .= "\t\txauth-generic {\n";
$strongswan .= "\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n"; $strongswan .= "\t\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n";
$strongswan .= "\t\tauthcfg = "; $strongswan .= "\t\t\tauthcfg = ";
$firstsed = 0; $firstsed = 0;
$authcfgs = explode(",", $a_client['user_source']); $authcfgs = explode(",", $a_client['user_source']);
foreach ($authcfgs as $authcfg) { foreach ($authcfgs as $authcfg) {
...@@ -715,7 +735,36 @@ EOD; ...@@ -715,7 +735,36 @@ EOD;
$firstsed = 1; $firstsed = 1;
} }
$strongswan .= "\n"; $strongswan .= "\n";
$strongswan .= "\t}\n"; $strongswan .= "\t\t}\n";
}
if ($radius_enabled == true) {
$strongswan .= "\t\teap-radius {\n";
if ($radius_accounting_enabled == true) {
$strongswan .= "\t\t\taccounting = yes\n";
}
$strongswan .= "\t\t\tservers {\n";
$i = 1;
foreach ($radius_servers as $radius_server) {
$strongswan .= "\t\t\t\tserver" . $i . " {\n";
$strongswan .= "\t\t\t\t\taddress = " . $radius_server['host'] . "\n";
$strongswan .= "\t\t\t\t\tsecret = " . $radius_server['radius_secret'] . "\n";
$strongswan .= "\t\t\t\t\tauth_port = " . $radius_server['radius_auth_port'] . "\n";
if (!empty($radius_server['radius_acct_port'])) {
$strongswan .= "\t\t\t\t\tacct_port = " . $radius_server['radius_acct_port'] . "\n";
}
$strongswan .= "\t\t\t\t}\n";
$i = $i + 1;
}
$strongswan .= "\t\t\t}\n";
$strongswan .= "\t\t}\n";
} }
} }
...@@ -918,7 +967,12 @@ EOD; ...@@ -918,7 +967,12 @@ EOD;
break; break;
case 'eap-mschapv2': case 'eap-mschapv2':
$authentication = "leftauth = pubkey\n\trightauth = eap-mschapv2"; $authentication = "leftauth = pubkey\n\trightauth = eap-mschapv2";
$authentication .= "\n\teap_identity=%any"; $authentication .= "\n\teap_identity = %any";
break;
case 'eap-radius':
$authentication = "leftauth = pubkey\n\trightauth = eap-radius";
$authentication .= "\n\trightsendcert = never";
$authentication .= "\n\teap_identity = %any";
break; break;
case 'xauth_rsa_server': case 'xauth_rsa_server':
$authentication = "leftauth = pubkey\n\trightauth = pubkey"; $authentication = "leftauth = pubkey\n\trightauth = pubkey";
...@@ -940,7 +994,7 @@ EOD; ...@@ -940,7 +994,7 @@ EOD;
break; break;
} }
if (!empty($ph1ent['certref'])) { if (!empty($ph1ent['certref'])) {
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; $authentication .= "\n\tleftcert = {$certpath}/cert-{$ph1ent['ikeid']}.crt";
} }
if (!empty($ph1ent['caref'])) { if (!empty($ph1ent['caref'])) {
$ca = lookup_ca($ph1ent['caref']); $ca = lookup_ca($ph1ent['caref']);
...@@ -949,7 +1003,7 @@ EOD; ...@@ -949,7 +1003,7 @@ EOD;
foreach (cert_get_subject_array($ca['crt']) as $ca_field) { foreach (cert_get_subject_array($ca['crt']) as $ca_field) {
$rightca .= "{$ca_field['a']}={$ca_field['v']}/"; $rightca .= "{$ca_field['a']}={$ca_field['v']}/";
} }
$authentication .= "\n\trightca=\"/$rightca\""; $authentication .= "\n\trightca = \"/$rightca\"";
} }
} }
$left_spec = $ep; $left_spec = $ep;
......
src/www/vpn_ipsec_phase1.php
View file @ 661f6afd
...@@ -170,6 +170,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -170,6 +170,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['peerid_data'] = ""; $pconfig['peerid_data'] = "";
} }
/* RADIUS server means no CA being sent */
if ($pconfig['authentication_method'] == "eap-radius") {
$pconfig['caref'] = "";
}
/* input validation */ /* input validation */
$method = $pconfig['authentication_method']; $method = $pconfig['authentication_method'];
...@@ -178,6 +183,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -178,6 +183,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
switch ($method) { switch ($method) {
case "eap-tls": case "eap-tls":
case "eap-mschapv2": case "eap-mschapv2":
case "eap-radius":
if ($pconfig['iketype'] != 'ikev2') { if ($pconfig['iketype'] != 'ikev2') {
$input_errors[] = sprintf(gettext("%s can only be used with IKEv2 type VPNs."), strtoupper($method)); $input_errors[] = sprintf(gettext("%s can only be used with IKEv2 type VPNs."), strtoupper($method));
} }
...@@ -461,6 +467,12 @@ include("head.inc"); ...@@ -461,6 +467,12 @@ include("head.inc");
$(".auth_eap_tls_caref").show(); $(".auth_eap_tls_caref").show();
$(".auth_eap_tls_caref :input").prop( "disabled", false ); $(".auth_eap_tls_caref :input").prop( "disabled", false );
break; break;
case 'eap-radius':
$(".auth_eap_tls").show();
$(".auth_eap_tls :input").prop( "disabled", false );
$(".auth_eap_tls_caref").hide();
$(".auth_eap_tls_caref :input").prop( "disabled", true );
break;
case 'pre_shared_key': case 'pre_shared_key':
if ($("#mobile").val() == undefined) { if ($("#mobile").val() == undefined) {
$(".auth_psk").show(); $(".auth_psk").show();
...@@ -697,7 +709,8 @@ include("head.inc"); ...@@ -697,7 +709,8 @@ include("head.inc");
?> ?>
</select> </select>
<div class="hidden" for="help_for_authmethod"> <div class="hidden" for="help_for_authmethod">
<?=gettext("Must match the setting chosen on the remote side."); ?> <?=gettext("Must match the setting chosen on the remote side."); ?><br />
<?=sprintf(gettext("If you select EAP-RADIUS, you must define your RADIUS servers on the %sServers%s page."), '<a href="/system_authservers.php">', '</a>'); ?>
</div> </div>
</td> </td>
</tr> </tr>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023