Project

General

Profile

« Previous | Next » 

Revision d09155b6

Added by Ingo Bauersachs over 10 years ago

Add support for EAP-RADIUS to IKEv2 Mobile Clients (Rel. 2.2)

View differences:

etc/inc/ipsec.inc
126 126 
	'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ),
127 127 
	'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
128 128 
	'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
129 
	'eap-radius' => array( 'name' => 'EAP-RADIUS', 'mobile' => true),
129 130 
	'eap-mschapv2' => array( 'name' => 'EAP-MSChapv2', 'mobile' => true),
130 131 
	'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
131 132 
	'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) );
etc/inc/vpn.inc
373 373 

  		




  374
  374
  
    
	$strongswan .= "\tplugins {\n";


  		




  375
  375
  
    

  		




  
  376
  
    
	$a_servers = auth_get_authserver_list();


  		




  
  377
  
    
	foreach ($a_servers as $id => $pconfig) {


  		




  
  378
  
    
		if ($id == $config['ipsec']['client']['user_source'] && $pconfig['type'] == "radius") {


  		




  
  379
  
    
			$strongswan .= <<<EOD


  		




  
  380
  
    
		eap-radius {


  		




  
  381
  
    
			class_group = yes


  		




  
  382
  
    
			eap_start = no


  		




  
  383
  
    
			servers {


  		




  
  384
  
    
				primary {


  		




  
  385
  
    
					address = {$pconfig['host']}


  		




  
  386
  
    
					secret = {$pconfig['radius_secret']}


  		




  
  387
  
    
					auth_port = {$pconfig['radius_auth_port']}


  		




  
  388
  
    
					acct_port = {$pconfig['radius_acct_port']}


  		




  
  389
  
    
				}


  		




  
  390
  
    
			}


  		




  
  391
  
    
		}


  		




  
  392
  
    

  		




  
  393
  
    
EOD;


  		




  
  394
  
    
			break;


  		




  
  395
  
    
		}


  		




  
  396
  
    
	}


  		




  
  397
  
    

  		




  376
  398
  
    
	if (is_array($a_client) && isset($a_client['enable'])) {


  		




  377
  399
  
    
		$strongswan .= "\t\tattr {\n";


  		




  378
  400
  
    
		if ($a_client['pool_address'] && $a_client['pool_netbits'])


  		




  ......




  499
  521
  
    
				continue;


  		




  500
  522
  
    

  		




  501
  523
  
    
			if (strstr($ph1ent['authentication_method'], 'rsa') ||


  		




  502
  
  
    
			    in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls'))) {


  		




  
  524
  
    
			    in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) {


  		




  503
  525
  
    
				$certline = '';


  		




  504
  526
  
    

  		




  505
  527
  
    
				$ikeid = $ph1ent['ikeid'];


  		




  ......




  777
  799
  
    
						$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";


  		




  778
  800
  
    
				}


  		




  779
  801
  
    
				break;


  		




  
  802
  
    
			case 'eap-radius':


  		




  
  803
  
    
				if (isset($ph1ent['mobile'])) {


  		




  
  804
  
    
					$authentication = "eap_identity=%identity\n\t";


  		




  
  805
  
    
					$authentication .= "leftauth=pubkey\n\trightauth=eap-radius";


  		




  
  806
  
    
					if (!empty($ph1ent['certref']))


  		




  
  807
  
    
						$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";


  		




  
  808
  
    
				} else {


  		




  
  809
  
    
					$authentication = "leftauth=eap-radius\n\trightauth=eap-radius";


  		




  
  810
  
    
					if (!empty($ph1ent['certref']))


  		




  
  811
  
    
						$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";


  		




  
  812
  
    
				}


  		




  
  813
  
    
				break;


  		




  780
  814
  
    
			case 'xauth_rsa_server':


  		




  781
  815
  
    
				$authentication = "leftauth = pubkey\n\trightauth = pubkey";


  		




  782
  816
  
    
				$authentication .= "\n\trightauth2 = xauth-generic";


  		












  

    
      usr/local/www/vpn_ipsec_phase1.php
    
  





  175
  175
  
    
			if ($pconfig['iketype'] != 'ikev2')


  		




  176
  176
  
    
				$input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs.");


  		




  177
  177
  
    
			break;


  		




  
  178
  
    
		case "eap-radius":


  		




  
  179
  
    
			if ($pconfig['iketype'] != 'ikev2')


  		




  
  180
  
    
				$input_errors[] = gettext("EAP-RADIUS can only be used with IKEv2 type VPNs.");


  		




  
  181
  
    
			break;


  		




  178
  182
  
    
		case "pre_shared_key":


  		




  179
  183
  
    
			// If this is a mobile PSK tunnel the user PSKs go on


  		




  180
  184
  
    
			//    the PSK tab, not here, so skip the check.


  		




  ......




  479
  483
  
    
	switch (value) {


  		




  480
  484
  
    
	case 'eap-mschapv2':


  		




  481
  485
  
    
	case 'eap-tls':


  		




  
  486
  
    
	case 'eap-radius':


  		




  482
  487
  
    
		document.getElementById('opt_psk').style.display = 'none';


  		




  483
  488
  
    
		document.getElementById('opt_peerid').style.display = '';


  		




  484
  489
  
    
		document.getElementById('opt_cert').style.display = '';


  		












Also available in:  Unified diff