T6237: IPSec remote access VPN: ability to set EAP ID of clients

vyos · Apr 21, 2024 · 78ea623 · 78ea623
1 parent 4cde677
commit 78ea623
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 1 deletion.
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
@@ -33,7 +33,7 @@
             auth = pubkey
 {% elif rw_conf.authentication.client_mode.startswith("eap") %}
             auth = {{ rw_conf.authentication.client_mode }}
-            eap_id = %any
+            eap_id = {{ '%any' if rw_conf.authentication.eap_id == 'any' else rw_conf.authentication.eap_id }}
 {% endif %}
 {% if rw_conf.authentication.client_mode is vyos_defined('eap-tls') or rw_conf.authentication.client_mode is vyos_defined('x509') %}
 {#          pass all configured CAs as filenames, separated by commas #}

diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
@@ -768,6 +768,26 @@
                     <children>
                       #include <include/ipsec/authentication-id.xml.i>
                       #include <include/ipsec/authentication-x509.xml.i>
+                      <leafNode name="eap-id">
+                        <properties>
+                          <help>Remote EAP ID for client authentication</help>
+                          <valueHelp>
+                            <format>txt</format>
+                            <description>Remote EAP ID for client authentication</description>
+                          </valueHelp>
+                          <completionHelp>
+                            <list>any</list>
+                          </completionHelp>
+                          <valueHelp>
+                            <format>any</format>
+                            <description>Allow any EAP ID</description>
+                          </valueHelp>
+                          <constraint>
+                            <regex>[[:ascii:]]{1,64}</regex>
+                          </constraint>
+                        </properties>
+                        <defaultValue>any</defaultValue>
+                      </leafNode>
                       <leafNode name="client-mode">
                         <properties>
                           <help>Client authentication mode</help>

diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -782,6 +782,11 @@ def test_remote_access_eap_tls(self):
         self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}.pem')))
         self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
 
+        # Test setting of custom EAP ID
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'eap-id', 'eap-user@vyos.net'])
+        self.cli_commit()
+        self.assertIn(r'eap_id = eap-user@vyos.net', read_file(swanctl_file))
+
         self.tearDownPKI()
 
     def test_remote_access_x509(self):