Merge pull request #1612 from ibauersachs/ipsec-mobile-eap-radius

3 files changed, 42 insertions, 1 deletions

diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc
index fc94acd..ef47b15 100644
--- a/etc/inc/ipsec.inc
+++ b/etc/inc/ipsec.inc
@@ -126,6 +126,7 @@ $p1_authentication_methods = array(
 	'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ),
 	'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
 	'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
+	'eap-radius' => array( 'name' => 'EAP-RADIUS', 'mobile' => true),
 	'eap-mschapv2' => array( 'name' => 'EAP-MSChapv2', 'mobile' => true),
 	'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
 	'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) );
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 25fb706..ad054c0 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -404,6 +404,28 @@ EOD;
 
 	$strongswan .= "\tplugins {\n";
 
+	$a_servers = auth_get_authserver_list();
+	foreach ($a_servers as $id => $pconfig) {
+		if ($id == $config['ipsec']['client']['user_source'] && $pconfig['type'] == "radius") {
+			$strongswan .= <<<EOD
+		eap-radius {
+			class_group = yes
+			eap_start = no
+			servers {
+				primary {
+					address = {$pconfig['host']}
+					secret = {$pconfig['radius_secret']}
+					auth_port = {$pconfig['radius_auth_port']}
+					acct_port = {$pconfig['radius_acct_port']}
+				}
+			}
+		}
+
+EOD;
+			break;
+		}
+	}
+
 	if (is_array($a_client) && isset($a_client['enable'])) {
 		$strongswan .= "\t\tattr {\n";
 		if ($a_client['pool_address'] && $a_client['pool_netbits']) {
@@ -548,7 +570,7 @@ EOD;
 			}
 
 			if (strstr($ph1ent['authentication_method'], 'rsa') ||
-			    in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls'))) {
+			    in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) {
 				$certline = '';
 
 				$ikeid = $ph1ent['ikeid'];
@@ -848,6 +870,19 @@ EOD;
 						}
 					}
 					break;
+				case 'eap-radius':
+					if (isset($ph1ent['mobile'])) {
+						$authentication = "eap_identity=%identity\n\t";
+						$authentication .= "leftauth=pubkey\n\trightauth=eap-radius";
+						if (!empty($ph1ent['certref']))
+							$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
+					} else {
+						$authentication = "leftauth=eap-radius\n\trightauth=eap-radius";
+						if (!empty($ph1ent['certref'])) {
+							$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
+						}
+					}
+					break;
 				case 'xauth_rsa_server':
 					$authentication = "leftauth = pubkey\n\trightauth = pubkey";
 					$authentication .= "\n\trightauth2 = xauth-generic";
diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php
index 4630828..009582e 100644
--- a/usr/local/www/vpn_ipsec_phase1.php
+++ b/usr/local/www/vpn_ipsec_phase1.php
@@ -175,6 +175,10 @@ if ($_POST) {
 			if ($pconfig['iketype'] != 'ikev2')
 				$input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs.");
 			break;
+		case "eap-radius":
+			if ($pconfig['iketype'] != 'ikev2')
+				$input_errors[] = gettext("EAP-RADIUS can only be used with IKEv2 type VPNs.");
+			break;
 		case "pre_shared_key":
 			// If this is a mobile PSK tunnel the user PSKs go on
 			//    the PSK tab, not here, so skip the check.
@@ -479,6 +483,7 @@ function methodsel_change() {
 	switch (value) {
 	case 'eap-mschapv2':
 	case 'eap-tls':
+	case 'eap-radius':
 		document.getElementById('opt_psk').style.display = 'none';
 		document.getElementById('opt_peerid').style.display = '';
 		document.getElementById('opt_cert').style.display = '';