diff options
author | Ingo Bauersachs <ingo@jitsi.org> | 2015-04-13 11:17:33 +0200 |
---|---|---|
committer | Ingo Bauersachs <ingo@jitsi.org> | 2015-04-15 14:28:54 +0200 |
commit | d09155b684b90d14ddcae6a69fb99ce8d34f5c35 (patch) | |
tree | 579ba227e8b70e2080d23453b10e4a23f42531b9 | |
parent | 4847615c9dec128c2efa6562600e34e1d24dd25d (diff) | |
download | pfsense-d09155b684b90d14ddcae6a69fb99ce8d34f5c35.zip pfsense-d09155b684b90d14ddcae6a69fb99ce8d34f5c35.tar.gz |
Add support for EAP-RADIUS to IKEv2 Mobile Clients (Rel. 2.2)
-rw-r--r-- | etc/inc/ipsec.inc | 1 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 36 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 5 |
3 files changed, 41 insertions, 1 deletions
diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index aef66fe..c81edc5 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -126,6 +126,7 @@ $p1_authentication_methods = array( 'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ), 'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ), 'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true), + 'eap-radius' => array( 'name' => 'EAP-RADIUS', 'mobile' => true), 'eap-mschapv2' => array( 'name' => 'EAP-MSChapv2', 'mobile' => true), 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index ccfbd12..100fa79 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -373,6 +373,28 @@ EOD; $strongswan .= "\tplugins {\n"; + $a_servers = auth_get_authserver_list(); + foreach ($a_servers as $id => $pconfig) { + if ($id == $config['ipsec']['client']['user_source'] && $pconfig['type'] == "radius") { + $strongswan .= <<<EOD + eap-radius { + class_group = yes + eap_start = no + servers { + primary { + address = {$pconfig['host']} + secret = {$pconfig['radius_secret']} + auth_port = {$pconfig['radius_auth_port']} + acct_port = {$pconfig['radius_acct_port']} + } + } + } + +EOD; + break; + } + } + if (is_array($a_client) && isset($a_client['enable'])) { $strongswan .= "\t\tattr {\n"; if ($a_client['pool_address'] && $a_client['pool_netbits']) @@ -499,7 +521,7 @@ EOD; continue; if (strstr($ph1ent['authentication_method'], 'rsa') || - in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls'))) { + in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) { $certline = ''; $ikeid = $ph1ent['ikeid']; @@ -777,6 +799,18 @@ EOD; $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; } break; + case 'eap-radius': + if (isset($ph1ent['mobile'])) { + $authentication = "eap_identity=%identity\n\t"; + $authentication .= "leftauth=pubkey\n\trightauth=eap-radius"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + } else { + $authentication = "leftauth=eap-radius\n\trightauth=eap-radius"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + } + break; case 'xauth_rsa_server': $authentication = "leftauth = pubkey\n\trightauth = pubkey"; $authentication .= "\n\trightauth2 = xauth-generic"; diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index 4630828..009582e 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -175,6 +175,10 @@ if ($_POST) { if ($pconfig['iketype'] != 'ikev2') $input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs."); break; + case "eap-radius": + if ($pconfig['iketype'] != 'ikev2') + $input_errors[] = gettext("EAP-RADIUS can only be used with IKEv2 type VPNs."); + break; case "pre_shared_key": // If this is a mobile PSK tunnel the user PSKs go on // the PSK tab, not here, so skip the check. @@ -479,6 +483,7 @@ function methodsel_change() { switch (value) { case 'eap-mschapv2': case 'eap-tls': + case 'eap-radius': document.getElementById('opt_psk').style.display = 'none'; document.getElementById('opt_peerid').style.display = ''; document.getElementById('opt_cert').style.display = ''; |