Openconnect radiusclient.conf generating with extra authserver
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	PeppyH
	Jan 25 2023, 11:50 PM

Description

Hi guys,

I found a bug while doing some tinkering with the vyos-1x package, where when the default config dictionary is merged with the cli config dictionary the default port configured for radius authentication effectively creates an extra entry in radiusclient.conf as an extra authserver e.g. when radius is enabled with a radius server configured as 123.123.123.123 with port 1812 we get the following radiusclient.conf:

Note the "authserver port" line

### generated by vpn_openconnect.py ###
nas-identifier VyOS
authserver 123.123.123.123:1812
authserver port
radius_timeout 2
bindaddr *
servers /run/ocserv/radius_servers
dictionary /etc/radcli/dictionary
default_realm
radius_retries 3

I added some debug prints in vpn_openconnect.py and rebuilt the package to illustrate why this is happening

def get_config():
    conf = Config()
    base = ['vpn', 'openconnect']
    if not conf.exists(base):
        return None

    ocserv = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
    # We have gathered the dict representation of the CLI, but there are default
    # options which we need to update into the dictionary retrived.
    print(ocserv)
    print(defaults(base))
    default_values = defaults(base)
    ocserv = dict_merge(default_values, ocserv)
    print(ocserv)

    ...

Which shows the following on commit:

{'authentication': {'mode': {'radius': {}}, 'radius': {'server': {'123.123.123.123': {'port': '1812'}}}}, 'listen_ports': {}, 'ssl': {'ca_certificate': 'ca-ocserv', 'certificate': 'srv-ocserv'}}

{'authentication': {'local_users': {'username': {'otp': {'otp_length': '6', 'interval': '30', 'token_type': 'hotp-time'}}}, 'radius': {'server': {'port': '1812'}, 'timeout': '2'}}, 'listen_ports': {'tcp': '443', 'udp': '443'}, 'network_settings': {'client_ipv6_pool': {'mask': '64'}, 'tunnel_all_dns': 'no'}, 'listen_address': '0.0.0.0'}

{'authentication': {'mode': {'radius': {}}, 'radius': {'server': {'123.123.123.123': {'port': '1812'}, 'port': '1812'}, 'timeout': '2'}, 'local_users': {'username': {'otp': {'otp_length': '6', 'interval': '30', 'token_type': 'hotp-time'}}}}, 'listen_ports': {'tcp': '443', 'udp': '443'}, 'ssl': {'ca_certificate': 'ca-ocserv', 'certificate': 'srv-ocserv'}, 'network_settings': {'client_ipv6_pool': {'mask': '64'}, 'tunnel_all_dns': 'no'}, 'listen_address': '0.0.0.0'}

In the last print there you can see the merged config with the authentication -> radius -> server configs. Formatted so its easier to read:

'server': {
    '123.123.123.123': {'port': '1812'}, 
    'port': '1812'
},

Heres the relevant part of the Jinja template radius_conf.j2 -- effectively the "port" key is getting treated as a configured server ip

{% for srv in server %}
{%     if not "disable" in server[srv] %}
{%         if "port" in server[srv] %}
authserver {{ srv }}:{{ server[srv]["port"] }}
{%         else %}
authserver {{ srv }}
{%         endif %}
{%     endif %}
{% endfor %}

I used the current branch for testing with the print debugging, I have also observed this behaviour in 1.3.x by using the cli to configure radius auth servers and reading the generated config file at /run/ocserv/radiusclient.conf

Thanks