From 0e8674d0db51dd7f7ae8a5e5640b7cea7ccd2c64 Mon Sep 17 00:00:00 2001
From: Matt Smith <mgsmith@netgate.com>
Date: Mon, 19 Oct 2015 11:22:35 -0500
Subject: Validate that the Mobile Client settings have a valid RADIUS server
 selected as the source for user authentication when EAP-RADIUS is selected as
 the phase 1 authentication method for mobile IPsec. Fixes #5219.

---
 usr/local/www/vpn_ipsec_phase1.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'usr')

diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php
index 8549805..7834315 100644
--- a/usr/local/www/vpn_ipsec_phase1.php
+++ b/usr/local/www/vpn_ipsec_phase1.php
@@ -342,6 +342,17 @@ if ($_POST) {
             }
         }
 
+	/* auth backend for mobile eap-radius VPNs should be a RADIUS server */
+	
+	if (($pconfig['authentication_method'] == 'eap-radius') && $pconfig['mobile']) {
+		$auth_server_name  = $config['ipsec']['client']['user_source'];
+		$auth_server       = auth_get_authserver($auth_server_name);
+		if (!is_array($auth_server) || ($auth_server['type'] != 'radius')) {
+			$input_errors[] = gettext("A valid RADIUS server must be selected for user authentication on the Mobile Clients tab in order to set EAP-RADIUS as the authentication method.");
+		}
+	}
+
+
 	/* build our encryption algorithms array */
 	$pconfig['ealgo'] = array();
 	$pconfig['ealgo']['name'] = $_POST['ealgo'];
-- 
cgit v1.1