summaryrefslogtreecommitdiffstats
path: root/src/usr
diff options
context:
space:
mode:
authorMatt Smith <mgsmith@netgate.com>2015-11-03 11:13:08 -0600
committerMatt Smith <mgsmith@netgate.com>2015-11-03 11:17:02 -0600
commit6684d5944eacf4dbd717edba9d82c30001b5bc3b (patch)
tree61651de841ec4970147d203dc2682079124208eb /src/usr
parentfad87798bb0beb552b0c7dfab0405c947f2f3035 (diff)
downloadpfsense-6684d5944eacf4dbd717edba9d82c30001b5bc3b.zip
pfsense-6684d5944eacf4dbd717edba9d82c30001b5bc3b.tar.gz
Don't allow IPsec mobile clients user auth source to not be a RADIUS server if
the phase1 auth method is EAP-RADIUS. Properly handle selection of multiple RADIUS servers when using EAP-RADIUS. Fixes #5219.
Diffstat (limited to 'src/usr')
-rw-r--r--src/usr/local/www/vpn_ipsec_mobile.php17
-rw-r--r--src/usr/local/www/vpn_ipsec_phase1.php16
2 files changed, 26 insertions, 7 deletions
diff --git a/src/usr/local/www/vpn_ipsec_mobile.php b/src/usr/local/www/vpn_ipsec_mobile.php
index d0baa23..1d5b68e 100644
--- a/src/usr/local/www/vpn_ipsec_mobile.php
+++ b/src/usr/local/www/vpn_ipsec_mobile.php
@@ -147,6 +147,11 @@ if ($_POST['save']) {
unset($input_errors);
$pconfig = $_POST;
+ foreach ($a_phase1 as $ph1ent) {
+ if (isset($ph1ent['mobile'])) {
+ $mobileph1 = $ph1ent;
+ }
+ }
/* input consolidation */
/* input validation */
@@ -222,6 +227,18 @@ if ($_POST['save']) {
}
}
+ if ($pconfig['user_source']) {
+ if (isset($mobileph1) && $mobileph1['authentication_method'] == 'eap-radius') {
+ foreach ($pconfig['user_source'] as $auth_server_name) {
+ $auth_server = auth_get_authserver($auth_server_name);
+ if (!is_array($auth_server) || ($auth_server['type'] != 'radius')) {
+ $input_errors[] = gettext("Only valid RADIUS servers may be selected as a user source when using EAP-RADIUS for authentication on the Mobile IPsec VPN.");
+ $pconfig['user_source'] = implode(',', $pconfig['user_source']);
+ }
+ }
+ }
+ }
+
if (!$input_errors) {
$client = array();
diff --git a/src/usr/local/www/vpn_ipsec_phase1.php b/src/usr/local/www/vpn_ipsec_phase1.php
index 5fda34b..6b26dac 100644
--- a/src/usr/local/www/vpn_ipsec_phase1.php
+++ b/src/usr/local/www/vpn_ipsec_phase1.php
@@ -416,16 +416,18 @@ if ($_POST) {
}
/* auth backend for mobile eap-radius VPNs should be a RADIUS server */
-
if (($pconfig['authentication_method'] == 'eap-radius') && $pconfig['mobile']) {
- $auth_server_name = $config['ipsec']['client']['user_source'];
- $auth_server = auth_get_authserver($auth_server_name);
- if (!is_array($auth_server) || ($auth_server['type'] != 'radius')) {
- $input_errors[] = gettext("A valid RADIUS server must be selected for user authentication on the Mobile Clients tab in order to set EAP-RADIUS as the authentication method.");
+ if (!empty($config['ipsec']['client']['user_source'])) {
+ $auth_server_list = explode(',', $config['ipsec']['client']['user_source']);
+ foreach ($auth_server_list as $auth_server_name) {
+ $auth_server = auth_get_authserver($auth_server_name);
+ if (!is_array($auth_server) || ($auth_server['type'] != 'radius')) {
+ $input_errors[] = gettext("A valid RADIUS server must be selected for user authentication on the Mobile Clients tab in order to set EAP-RADIUS as the authentication method.");
+ }
+ }
}
}
-
-
+
/* build our encryption algorithms array */
$pconfig['ealgo'] = array();
$pconfig['ealgo']['name'] = $_POST['ealgo'];
OpenPOWER on IntegriCloud