VPN: IPsec: Connections - remote authentication. Add support for radi…

…us class groups PR: #6826 (cherry picked from commit 928d2f8) (cherry picked from commit af46866) (cherry picked from commit 9e26e00)
opnsense · Dec 11, 2023 · 95ab468 · 95ab468
1 parent e983397
commit 95ab468
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 1 deletion.
diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -1061,7 +1061,8 @@ function ipsec_write_strongswan_conf()
     if (empty($radius_auth_servers) && !empty($a_client['radius_source'])) {
         $radius_auth_servers = $a_client['radius_source'];
     }
-    if ((isset($a_client['enable']) || (new \OPNsense\IPsec\Swanctl())->isEnabled()) && !empty($radius_auth_servers)) {
+    $mdl = new \OPNsense\IPsec\Swanctl();
+    if ((isset($a_client['enable']) || $mdl->isEnabled()) && !empty($radius_auth_servers)) {
         $disable_xauth = true; // disable Xauth when radius is used.
         $strongswanTree['charon']['plugins']['eap-radius'] = [];
         $strongswanTree['charon']['plugins']['eap-radius']['servers'] = [];
@@ -1090,6 +1091,9 @@ function ipsec_write_strongswan_conf()
         if ($radius_accounting_enabled) {
             $strongswanTree['charon']['plugins']['eap-radius']['accounting'] = 'yes';
         }
+        if ($mdl->radiusUsesGroups()) {
+            $strongswanTree['charon']['plugins']['eap-radius']['class_group'] = 'yes';
+        }
     }
     if ((isset($a_client['enable']) && !$disable_xauth) || (new \OPNsense\IPsec\Swanctl())->isEnabled()) {
         $strongswanTree['charon']['plugins']['xauth-pam'] = [

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/dialogRemote.xml b/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/dialogRemote.xml
@@ -41,6 +41,13 @@
         <help>Client EAP-Identity to use in EAP-Identity exchange and the EAP method. If set to %any the EAP-Identity method will be used to ask the client for an EAP identity.</help>
         <style>remote_auth remote_auth_eap-mschapv2 remote_auth_eap-tls remote_auth_eap-radius</style>
     </field>
+    <field>
+        <id>remote.groups</id>
+        <label>Groups</label>
+        <type>select_multiple</type>
+        <help>List of group memberships to require. The client must prove membership to at least one of the specified groups.</help>
+        <style>selectpicker remote_auth remote_auth_eap-radius</style>
+    </field>
     <field>
       <id>remote.certs</id>
       <label>Certificates</label>

diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php
@@ -30,6 +30,7 @@
 
 use Phalcon\Messages\Message;
 use OPNsense\Base\BaseModel;
+use OPNsense\Core\Config;
 use OPNsense\Firewall\Util;
 
 /**
@@ -38,6 +39,27 @@
  */
 class Swanctl extends BaseModel
 {
+    /**
+     * convert group ids to group (class) names
+     */
+    private function gidToNames($gids)
+    {
+        $result = [];
+        $cnf = Config::getInstance()->object();
+        $mapping = [];
+        if (isset($cnf->system->group)) {
+            foreach ($cnf->system->group as $group) {
+                $mapping[(string)$group->gid] = (string)$group->name;
+            }
+        }
+        foreach (explode(',', $gids) as $gid) {
+            if (!empty($mapping[$gid])) {
+                $result[] = $mapping[$gid];
+            }
+        }
+        return implode(',', $result);
+    }
+
     /**
      * {@inheritdoc}
      */
@@ -175,6 +197,8 @@ public function getConfig()
                             $pool_names[$node_uuid] = (string)$attr;
                         }
                         continue;
+                    } elseif (is_a($attr, 'OPNsense\Base\FieldTypes\AuthGroupField')) {
+                        $thisnode[$attr_name] = $this->gidToNames((string)$attr);
                     } elseif (is_a($attr, 'OPNsense\Base\FieldTypes\BooleanField')) {
                         $thisnode[$attr_name] = (string)$attr == '1' ? 'yes' : 'no';
                     } elseif (is_a($attr, 'OPNsense\Base\FieldTypes\CertificateField')) {
@@ -301,4 +325,25 @@ public function getUsedCertrefs()
         }
         return $certrefs;
     }
+
+    /**
+     * @return bool is there at least one connection using radius groups?
+     */
+    public function radiusUsesGroups()
+    {
+        foreach ($this->remotes->iterateRecursiveItems() as $node) {
+            if ($node->getInternalXMLTagName() == 'auth' && (string)$node == 'eap-radius') {
+                $auth = $node->getParentNode();
+                $connid = (string)$auth->connection;
+                if (
+                    !empty((string)$auth->groups) &&
+                    isset($this->Connections->Connection->$connid) &&
+                    !empty((string)$this->Connections->Connection->$connid->enabled)
+                ) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
 }
diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml
@@ -200,6 +200,9 @@
                 <eap_id type="TextField">
                     <Mask>/^([0-9a-zA-Z\.\-,_\:\@\%]){0,1024}$/u</Mask>
                 </eap_id>
+                <groups type="AuthGroupField">
+                    <Multiple>Y</Multiple>
+                </groups>
                 <certs type="CertificateField">
                     <Multiple>Y</Multiple>
                     <ValidationMessage>Please select a valid certificate from the list</ValidationMessage>