For different VPN protocols, local users are described in different places; if one user needs several VPN options, a lot of duplicated information results.
Need to have a common storage location for local users, for example in
vpn remote-access local-users
Maybe this issue can be resolved by integrating a local radius server.
It probably cannot be a universal solution due to specific per-user options.
For example, for opencoonect, you can add otp if you want on a per-user basis and not do it for other users.
vyos@r4# set vpn openconnect authentication local-users username foo Possible completions: disable Disable instance > otp 2FA OTP authentication parameters password Password used for authentication
Another case specific client IP address or rate limit
vyos@r4# set vpn sstp authentication local-users username foo Possible completions: disable Disable instance password Password for authentication > rate-limit Upload/Download speed limits static-ip Static client IP address (default: *)
Though it could be only for accel-ppp based configuration sstp/l2tp/pptp
It is not clear why it should be ignored? If they should be ignored they must not be in the CLI at all.
Why not use RADIUS authentication for it?
Do I get it wrong? Local RADIUS server seems like overhead here. Are we talking about the local “chap-secrets” file that can be reused by other daemons or RADIUS?
Clarify please the feature request.
Need a general place to store accounts for VPN; whether it is a local radius server or chap-secrets file(this option seems simpler and more correct) is not so important.
A separate radius server is another point of failure and a separate infrastructure object. Wants to have a boxed solution where everything is available at once
Need a general place to store accounts for VPN; whether it is a local radius server or chap-secrets file(this option seems simpler and more correct) is not so important.
A separate radius server is another point of failure and a separate infrastructure object. Wants to have a boxed solution where everything is available at once
Definitely not RADIUS; there are containers for such things
Regarding local logins, I see it as a resource-group that could be reused between several daemons/services
Something like this:
set resource-group username-group <my-users> username user01 password '09078081' set resource-group username-group <my-users> username user02 password 'fmndskl82' set service pppoe-server authentication local-users username-group 'my-users' set vpn l2tp remote-access authentication local-users username-group 'my-users' set vpn sstp authentication local-users username-group 'my-users' set vpn openconnect authentication local-users username-group 'my-users'
set resource-group username-group <my-users> username user01 password '09078081' set resource-group username-group <my-users> username user02 password 'fmndskl82' set service pppoe-server authentication local-users username-group 'my-users' set vpn l2tp remote-access authentication local-users username-group 'my-users' set vpn sstp authentication local-users username-group 'my-users' set vpn openconnect authentication local-users username-group 'my-users'
Looks like what I was talking about