From cb377516944e14fcd56ddad6b3963b09a9159d16 Mon Sep 17 00:00:00 2001
From: Ingo Bauersachs <ingo@jitsi.org>
Date: Mon, 13 Apr 2015 11:17:33 +0200
Subject: Add support for EAP-RADIUS to IKEv2 Mobile Clients

---
 etc/inc/ipsec.inc |  1 +
 etc/inc/vpn.inc   | 37 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 37 insertions(+), 1 deletion(-)

(limited to 'etc')

diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc
index fc94acd..ef47b15 100644
--- a/etc/inc/ipsec.inc
+++ b/etc/inc/ipsec.inc
@@ -126,6 +126,7 @@ $p1_authentication_methods = array(
 	'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ),
 	'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
 	'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
+	'eap-radius' => array( 'name' => 'EAP-RADIUS', 'mobile' => true),
 	'eap-mschapv2' => array( 'name' => 'EAP-MSChapv2', 'mobile' => true),
 	'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
 	'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) );
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index d5efa8a..57e6de7 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -403,6 +403,28 @@ EOD;
 
 	$strongswan .= "\tplugins {\n";
 
+	$a_servers = auth_get_authserver_list();
+	foreach ($a_servers as $id => $pconfig) {
+		if ($id == $config['ipsec']['client']['user_source'] && $pconfig['type'] == "radius") {
+			$strongswan .= <<<EOD
+		eap-radius {
+			class_group = yes
+			eap_start = no
+			servers {
+				primary {
+					address = {$pconfig['host']}
+					secret = {$pconfig['radius_secret']}
+					auth_port = {$pconfig['radius_auth_port']}
+					acct_port = {$pconfig['radius_acct_port']}
+				}
+			}
+		}
+
+EOD;
+			break;
+		}
+	}
+
 	if (is_array($a_client) && isset($a_client['enable'])) {
 		$strongswan .= "\t\tattr {\n";
 		if ($a_client['pool_address'] && $a_client['pool_netbits']) {
@@ -547,7 +569,7 @@ EOD;
 			}
 
 			if (strstr($ph1ent['authentication_method'], 'rsa') ||
-			    in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls'))) {
+			    in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) {
 				$certline = '';
 
 				$ikeid = $ph1ent['ikeid'];
@@ -847,6 +869,19 @@ EOD;
 						}
 					}
 					break;
+				case 'eap-radius':
+					if (isset($ph1ent['mobile'])) {
+						$authentication = "eap_identity=%identity\n\t";
+						$authentication .= "leftauth=pubkey\n\trightauth=eap-radius";
+						if (!empty($ph1ent['certref']))
+							$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
+					} else {
+						$authentication = "leftauth=eap-radius\n\trightauth=eap-radius";
+						if (!empty($ph1ent['certref'])) {
+							$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
+						}
+					}
+					break;
 				case 'xauth_rsa_server':
 					$authentication = "leftauth = pubkey\n\trightauth = pubkey";
 					$authentication .= "\n\trightauth2 = xauth-generic";
-- 
cgit v1.1