From 6684d5944eacf4dbd717edba9d82c30001b5bc3b Mon Sep 17 00:00:00 2001
From: Matt Smith <mgsmith@netgate.com>
Date: Tue, 3 Nov 2015 11:13:08 -0600
Subject: Don't allow IPsec mobile clients user auth source to not be a RADIUS
 server if the phase1 auth method is EAP-RADIUS. Properly handle selection of
 multiple RADIUS servers when using EAP-RADIUS. Fixes #5219.

---
 src/usr/local/www/vpn_ipsec_mobile.php | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'src/usr/local/www/vpn_ipsec_mobile.php')

diff --git a/src/usr/local/www/vpn_ipsec_mobile.php b/src/usr/local/www/vpn_ipsec_mobile.php
index d0baa23..1d5b68e 100644
--- a/src/usr/local/www/vpn_ipsec_mobile.php
+++ b/src/usr/local/www/vpn_ipsec_mobile.php
@@ -147,6 +147,11 @@ if ($_POST['save']) {
 	unset($input_errors);
 	$pconfig = $_POST;
 
+	foreach ($a_phase1 as $ph1ent) {
+		if (isset($ph1ent['mobile'])) {
+			$mobileph1 = $ph1ent;
+		}
+	}
 	/* input consolidation */
 
 	/* input validation */
@@ -222,6 +227,18 @@ if ($_POST['save']) {
 		}
 	}
 
+	if ($pconfig['user_source']) {
+		if (isset($mobileph1) && $mobileph1['authentication_method'] == 'eap-radius') {
+			foreach ($pconfig['user_source'] as $auth_server_name) {
+				$auth_server       = auth_get_authserver($auth_server_name);
+				if (!is_array($auth_server) || ($auth_server['type'] != 'radius')) {
+					$input_errors[] = gettext("Only valid RADIUS servers may be selected as a user source when using EAP-RADIUS for authentication on the Mobile IPsec VPN.");
+					$pconfig['user_source'] = implode(',', $pconfig['user_source']);
+				}
+			}
+		}
+	}
+
 	if (!$input_errors) {
 		$client = array();
 
-- 
cgit v1.1