Project

General

Profile

« Previous | Next » 

Revision d09155b6

Added by Ingo Bauersachs over 10 years ago

Add support for EAP-RADIUS to IKEv2 Mobile Clients (Rel. 2.2)

View differences:

etc/inc/vpn.inc
373 373 

  		




  374
  374
  
    
	$strongswan .= "\tplugins {\n";


  		




  375
  375
  
    

  		




  
  376
  
    
	$a_servers = auth_get_authserver_list();


  		




  
  377
  
    
	foreach ($a_servers as $id => $pconfig) {


  		




  
  378
  
    
		if ($id == $config['ipsec']['client']['user_source'] && $pconfig['type'] == "radius") {


  		




  
  379
  
    
			$strongswan .= <<<EOD


  		




  
  380
  
    
		eap-radius {


  		




  
  381
  
    
			class_group = yes


  		




  
  382
  
    
			eap_start = no


  		




  
  383
  
    
			servers {


  		




  
  384
  
    
				primary {


  		




  
  385
  
    
					address = {$pconfig['host']}


  		




  
  386
  
    
					secret = {$pconfig['radius_secret']}


  		




  
  387
  
    
					auth_port = {$pconfig['radius_auth_port']}


  		




  
  388
  
    
					acct_port = {$pconfig['radius_acct_port']}


  		




  
  389
  
    
				}


  		




  
  390
  
    
			}


  		




  
  391
  
    
		}


  		




  
  392
  
    

  		




  
  393
  
    
EOD;


  		




  
  394
  
    
			break;


  		




  
  395
  
    
		}


  		




  
  396
  
    
	}


  		




  
  397
  
    

  		




  376
  398
  
    
	if (is_array($a_client) && isset($a_client['enable'])) {


  		




  377
  399
  
    
		$strongswan .= "\t\tattr {\n";


  		




  378
  400
  
    
		if ($a_client['pool_address'] && $a_client['pool_netbits'])


  		




  ......




  499
  521
  
    
				continue;


  		




  500
  522
  
    

  		




  501
  523
  
    
			if (strstr($ph1ent['authentication_method'], 'rsa') ||


  		




  502
  
  
    
			    in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls'))) {


  		




  
  524
  
    
			    in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) {


  		




  503
  525
  
    
				$certline = '';


  		




  504
  526
  
    

  		




  505
  527
  
    
				$ikeid = $ph1ent['ikeid'];


  		




  ......




  777
  799
  
    
						$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";


  		




  778
  800
  
    
				}


  		




  779
  801
  
    
				break;


  		




  
  802
  
    
			case 'eap-radius':


  		




  
  803
  
    
				if (isset($ph1ent['mobile'])) {


  		




  
  804
  
    
					$authentication = "eap_identity=%identity\n\t";


  		




  
  805
  
    
					$authentication .= "leftauth=pubkey\n\trightauth=eap-radius";


  		




  
  806
  
    
					if (!empty($ph1ent['certref']))


  		




  
  807
  
    
						$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";


  		




  
  808
  
    
				} else {


  		




  
  809
  
    
					$authentication = "leftauth=eap-radius\n\trightauth=eap-radius";


  		




  
  810
  
    
					if (!empty($ph1ent['certref']))


  		




  
  811
  
    
						$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";


  		




  
  812
  
    
				}


  		




  
  813
  
    
				break;


  		




  780
  814
  
    
			case 'xauth_rsa_server':


  		




  781
  815
  
    
				$authentication = "leftauth = pubkey\n\trightauth = pubkey";


  		




  782
  816
  
    
				$authentication .= "\n\trightauth2 = xauth-generic";


  		












Also available in:  Unified diff