Validate that the Mobile Client settings have a valid RADIUS server selected

as the source for user authentication when EAP-RADIUS is selected as the
phase 1 authentication method for mobile IPsec. Fixes #5219.

1 files changed, 11 insertions, 0 deletions

diff --git a/src/usr/local/www/vpn_ipsec_phase1.php b/src/usr/local/www/vpn_ipsec_phase1.php
index 3770335..5a9b37f 100644
--- a/src/usr/local/www/vpn_ipsec_phase1.php
+++ b/src/usr/local/www/vpn_ipsec_phase1.php
@@ -414,6 +414,17 @@ if ($_POST) {
 		}
 	}
 
+	/* auth backend for mobile eap-radius VPNs should be a RADIUS server */
+	
+	if (($pconfig['authentication_method'] == 'eap-radius') && $pconfig['mobile']) {
+		$auth_server_name  = $config['ipsec']['client']['user_source'];
+		$auth_server       = auth_get_authserver($auth_server_name);
+		if (!is_array($auth_server) || ($auth_server['type'] != 'radius')) {
+			$input_errors[] = gettext("A valid RADIUS server must be selected for user authentication on the Mobile Clients tab in order to set EAP-RADIUS as the authentication method.");
+		}
+	}
+
+
 	/* build our encryption algorithms array */
 	$pconfig['ealgo'] = array();
 	$pconfig['ealgo']['name'] = $_POST['ealgo'];