diff --git a/data/templates/accel-ppp/config_chap_secrets_radius.j2 b/data/templates/accel-ppp/config_chap_secrets_radius.j2
index 595e3a565..e343ce461 100644
--- a/data/templates/accel-ppp/config_chap_secrets_radius.j2
+++ b/data/templates/accel-ppp/config_chap_secrets_radius.j2
@@ -1,45 +1,58 @@
{% if authentication.mode is vyos_defined('local') %}
[chap-secrets]
chap-secrets={{ chap_secrets_file }}
{% elif authentication.mode is vyos_defined('radius') %}
[radius]
verbose=1
{% for server, options in authentication.radius.server.items() if not options.disable is vyos_defined %}
-server={{ server }},{{ options.key }},auth-port={{ options.port }},acct-port={{ options.acct_port }},req-limit=0,fail-time={{ options.fail_time }}
+{% set _server_cfg = "server=" %}
+{% set _server_cfg = _server_cfg + server %}
+{% set _server_cfg = _server_cfg + "," + options.key %}
+{% set _server_cfg = _server_cfg + ",auth-port=" + options.port %}
+{% set _server_cfg = _server_cfg + ",acct-port=" + options.acct_port %}
+{% set _server_cfg = _server_cfg + ",req-limit=0" %}
+{% set _server_cfg = _server_cfg + ",fail-time=" + options.fail_time %}
+{% if options.priority is vyos_defined %}
+{% set _server_cfg = _server_cfg + ",weight=" + options.priority %}
+{% endif %}
+{% if options.backup is vyos_defined %}
+{% set _server_cfg = _server_cfg + ",backup" %}
+{% endif %}
+{{ _server_cfg }}
{% endfor %}
{% if authentication.radius.accounting_interim_interval is vyos_defined %}
acct-interim-interval={{ authentication.radius.accounting_interim_interval }}
{% endif %}
{% if authentication.radius.acct_interim_jitter is vyos_defined %}
acct-interim-jitter={{ authentication.radius.acct_interim_jitter }}
{% endif %}
acct-timeout={{ authentication.radius.acct_timeout }}
timeout={{ authentication.radius.timeout }}
max-try={{ authentication.radius.max_try }}
{% if authentication.radius.nas_identifier is vyos_defined %}
nas-identifier={{ authentication.radius.nas_identifier }}
{% endif %}
{% if authentication.radius.nas_ip_address is vyos_defined %}
nas-ip-address={{ authentication.radius.nas_ip_address }}
{% endif %}
{% if authentication.radius.source_address is vyos_defined %}
bind={{ authentication.radius.source_address }}
{% endif %}
{% if authentication.radius.dynamic_author.server is vyos_defined %}
dae-server={{ authentication.radius.dynamic_author.server }}:{{ authentication.radius.dynamic_author.port }},{{ authentication.radius.dynamic_author.key }}
{% endif %}
{% endif %}
{# Both chap-secrets and radius block required the gw-ip-address #}
{% if authentication.mode is vyos_defined('local') or authentication.mode is vyos_defined('radius') %}
{% if gateway_address is vyos_defined %}
{% if server_type == 'ipoe' %}
{% for gw in gateway_address %}
{% set host_address, _ = gw.split('/') %}
gw-ip-address={{ host_address }}
{% endfor %}
{% else %}
gw-ip-address={{ gateway_address }}
{% endif %}
{% endif %}
{% endif %}
diff --git a/interface-definitions/include/accel-ppp/radius-additions.xml.i b/interface-definitions/include/accel-ppp/radius-additions.xml.i
index 3c2eb09eb..5222ba864 100644
--- a/interface-definitions/include/accel-ppp/radius-additions.xml.i
+++ b/interface-definitions/include/accel-ppp/radius-additions.xml.i
@@ -1,151 +1,158 @@
<!-- include start from accel-ppp/radius-additions.xml.i -->
<node name="radius">
<children>
<leafNode name="accounting-interim-interval">
<properties>
<help>Interval in seconds to send accounting information</help>
<valueHelp>
<format>u32:1-3600</format>
<description>Interval in seconds to send accounting information</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-3600"/>
</constraint>
<constraintErrorMessage>Interval value must be between 1 and 3600 seconds</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="acct-interim-jitter">
<properties>
<help>Maximum jitter value in seconds to be applied to accounting information interval</help>
<valueHelp>
<format>u32:1-60</format>
<description>Maximum jitter value in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-60"/>
</constraint>
<constraintErrorMessage>Jitter value must be between 1 and 60 seconds</constraintErrorMessage>
</properties>
</leafNode>
<tagNode name="server">
<children>
<leafNode name="acct-port">
<properties>
<help>Accounting port</help>
<valueHelp>
<format>u32:1-65535</format>
<description>Numeric IP port</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
<defaultValue>1813</defaultValue>
</leafNode>
#include <include/accel-ppp/radius-additions-disable-accounting.xml.i>
<leafNode name="fail-time">
<properties>
<help>Mark server unavailable for <n> seconds on failure</help>
<valueHelp>
<format>u32:0-600</format>
<description>Fail time penalty</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-600"/>
</constraint>
<constraintErrorMessage>Fail time must be between 0 and 600 seconds</constraintErrorMessage>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
+ #include <include/radius-priority.xml.i>
+ <leafNode name="backup">
+ <properties>
+ <help>Use backup server if other servers are not available</help>
+ <valueless/>
+ </properties>
+ </leafNode>
</children>
</tagNode>
<leafNode name="timeout">
<properties>
<help>Timeout in seconds to wait response from RADIUS server</help>
<valueHelp>
<format>u32:1-60</format>
<description>Timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-60"/>
</constraint>
<constraintErrorMessage>Timeout must be between 1 and 60 seconds</constraintErrorMessage>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
<leafNode name="acct-timeout">
<properties>
<help>Timeout for Interim-Update packets, terminate session afterwards</help>
<valueHelp>
<format>u32:0-60</format>
<description>Timeout in seconds, 0 to keep active</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-60"/>
</constraint>
<constraintErrorMessage>Timeout must be between 0 and 60 seconds</constraintErrorMessage>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
<leafNode name="max-try">
<properties>
<help>Number of tries to send Access-Request/Accounting-Request queries</help>
<valueHelp>
<format>u32:1-20</format>
<description>Maximum tries</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-20"/>
</constraint>
<constraintErrorMessage>Maximum tries must be between 1 and 20</constraintErrorMessage>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
#include <include/radius-nas-identifier.xml.i>
#include <include/radius-nas-ip-address.xml.i>
<leafNode name="preallocate-vif">
<properties>
<help>Enable attribute NAS-Port-Id in Access-Request</help>
<valueless/>
</properties>
</leafNode>
<node name="dynamic-author">
<properties>
<help>Dynamic Authorization Extension/Change of Authorization server</help>
</properties>
<children>
<leafNode name="server">
<properties>
<help>IP address for Dynamic Authorization Extension server (DM/CoA)</help>
<constraint>
<validator name="ipv4-address"/>
</constraint>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address for dynamic authorization server</description>
</valueHelp>
</properties>
</leafNode>
<leafNode name="port">
<properties>
<help>Port for Dynamic Authorization Extension server (DM/CoA)</help>
<valueHelp>
<format>u32:1-65535</format>
<description>TCP port</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
<defaultValue>1700</defaultValue>
</leafNode>
<leafNode name="key">
<properties>
<help>Shared secret for Dynamic Authorization Extension server</help>
</properties>
</leafNode>
</children>
</node>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/include/radius-priority.xml.i b/interface-definitions/include/radius-priority.xml.i
new file mode 100644
index 000000000..f77f5016e
--- /dev/null
+++ b/interface-definitions/include/radius-priority.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from radius-priority.xml.i -->
+<leafNode name="priority">
+ <properties>
+ <help>Server priority</help>
+ <valueHelp>
+ <format>u32:1-255</format>
+ <description>Server priority</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-255"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/system_login.xml.in b/interface-definitions/system_login.xml.in
index a59f54005..dd26b00ef 100644
--- a/interface-definitions/system_login.xml.in
+++ b/interface-definitions/system_login.xml.in
@@ -1,303 +1,294 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="system">
<children>
<node name="login" owner="${vyos_conf_scripts_dir}/system_login.py">
<properties>
<help>System User Login Configuration</help>
<priority>400</priority>
</properties>
<children>
<tagNode name="user">
<properties>
<help>Local user account information</help>
<constraint>
#include <include/constraint/login-username.xml.i>
</constraint>
<constraintErrorMessage>Username contains illegal characters or\nexceeds 100 character limitation.</constraintErrorMessage>
</properties>
<children>
<node name="authentication">
<properties>
<help>Authentication settings</help>
</properties>
<children>
<leafNode name="encrypted-password">
<properties>
<help>Encrypted password</help>
<constraint>
<regex>(\*|\!)</regex>
<regex>[a-zA-Z0-9\.\/]{13}</regex>
<regex>\$1\$[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{22}</regex>
<regex>\$5\$(rounds=[0-9]+\$)?[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{43}</regex>
<regex>\$6\$(rounds=[0-9]+\$)?[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{86}</regex>
</constraint>
<constraintErrorMessage>Invalid encrypted password for $VAR(../../@).</constraintErrorMessage>
</properties>
<defaultValue>!</defaultValue>
</leafNode>
<node name="otp">
<properties>
<help>One-Time-Pad (two-factor) authentication parameters</help>
</properties>
<children>
<leafNode name="rate-limit">
<properties>
<help>Limit number of logins (rate-limit) per rate-time</help>
<valueHelp>
<format>u32:1-10</format>
<description>Number of attempts</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-10"/>
</constraint>
<constraintErrorMessage>Number of login attempts must me between 1 and 10</constraintErrorMessage>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
<leafNode name="rate-time">
<properties>
<help>Limit number of logins (rate-limit) per rate-time</help>
<valueHelp>
<format>u32:15-600</format>
<description>Time interval</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 15-600"/>
</constraint>
<constraintErrorMessage>Rate limit time interval must be between 15 and 600 seconds</constraintErrorMessage>
</properties>
<defaultValue>30</defaultValue>
</leafNode>
<leafNode name="window-size">
<properties>
<help>Set window of concurrently valid codes</help>
<valueHelp>
<format>u32:1-21</format>
<description>Window size</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21"/>
</constraint>
<constraintErrorMessage>Window of concurrently valid codes must be between 1 and 21</constraintErrorMessage>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
<leafNode name="key">
<properties>
<help>Key/secret the token algorithm (see RFC4226)</help>
<valueHelp>
<format>txt</format>
<description>Base32 encoded key/token</description>
</valueHelp>
<constraint>
<regex>[a-zA-Z2-7]{26,10000}</regex>
</constraint>
<constraintErrorMessage>Key must only include base32 characters and be at least 26 characters long</constraintErrorMessage>
</properties>
</leafNode>
</children>
</node>
<leafNode name="plaintext-password">
<properties>
<help>Plaintext password used for encryption</help>
</properties>
</leafNode>
<tagNode name="public-keys">
<properties>
<help>Remote access public keys</help>
<valueHelp>
<format>txt</format>
<description>Key identifier used by ssh-keygen (usually of form user@host)</description>
</valueHelp>
</properties>
<children>
<leafNode name="key">
<properties>
<help>Public key value (Base64 encoded)</help>
<constraint>
<validator name="base64"/>
</constraint>
</properties>
</leafNode>
<leafNode name="options">
<properties>
<help>Optional public key options</help>
</properties>
</leafNode>
<leafNode name="type">
<properties>
<help>SSH public key type</help>
<completionHelp>
<list>ssh-dss ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519 sk-ecdsa-sha2-nistp256@openssh.com sk-ssh-ed25519@openssh.com</list>
</completionHelp>
<valueHelp>
<format>ssh-dss</format>
<description>Digital Signature Algorithm (DSA) key support</description>
</valueHelp>
<valueHelp>
<format>ssh-rsa</format>
<description>Key pair based on RSA algorithm</description>
</valueHelp>
<valueHelp>
<format>ecdsa-sha2-nistp256</format>
<description>Elliptic Curve DSA with NIST P-256 curve</description>
</valueHelp>
<valueHelp>
<format>ecdsa-sha2-nistp384</format>
<description>Elliptic Curve DSA with NIST P-384 curve</description>
</valueHelp>
<valueHelp>
<format>ecdsa-sha2-nistp521</format>
<description>Elliptic Curve DSA with NIST P-521 curve</description>
</valueHelp>
<valueHelp>
<format>ssh-ed25519</format>
<description>Edwards-curve DSA with elliptic curve 25519</description>
</valueHelp>
<valueHelp>
<format>sk-ecdsa-sha2-nistp256@openssh.com</format>
<description>Elliptic Curve DSA security key</description>
</valueHelp>
<valueHelp>
<format>sk-ssh-ed25519@openssh.com</format>
<description>Elliptic curve 25519 security key</description>
</valueHelp>
<constraint>
<regex>(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ssh-ed25519|sk-ecdsa-sha2-nistp256@openssh.com|sk-ssh-ed25519@openssh.com)</regex>
</constraint>
</properties>
</leafNode>
</children>
</tagNode>
</children>
</node>
#include <include/generic-disable-node.xml.i>
<leafNode name="full-name">
<properties>
<help>Full name of the user (use quotes for names with spaces)</help>
<constraint>
<regex>[^:]*</regex>
</constraint>
<constraintErrorMessage>Cannot use ':' in full name</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="home-directory">
<properties>
<help>Home directory</help>
<valueHelp>
<format>txt</format>
<description>Path to home directory</description>
</valueHelp>
<constraint>
<regex>\/$|(\/[a-zA-Z_0-9-.]+)+</regex>
</constraint>
</properties>
</leafNode>
</children>
</tagNode>
#include <include/radius-server-ipv4-ipv6.xml.i>
<node name="radius">
<children>
<tagNode name="server">
<children>
#include <include/radius-timeout.xml.i>
+ #include <include/radius-priority.xml.i>
<leafNode name="priority">
- <properties>
- <help>Server priority</help>
- <valueHelp>
- <format>u32:1-255</format>
- <description>Server priority</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-255"/>
- </constraint>
- </properties>
<defaultValue>255</defaultValue>
</leafNode>
</children>
</tagNode>
#include <include/interface/vrf.xml.i>
</children>
</node>
<node name="tacacs">
<properties>
<help>TACACS+ based user authentication</help>
</properties>
<children>
<tagNode name="server">
<properties>
<help>TACACS+ server configuration</help>
<valueHelp>
<format>ipv4</format>
<description>TACACS+ server IPv4 address</description>
</valueHelp>
<constraint>
<validator name="ipv4-address"/>
</constraint>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
#include <include/radius-server-key.xml.i>
#include <include/port-number.xml.i>
<leafNode name="port">
<defaultValue>49</defaultValue>
</leafNode>
</children>
</tagNode>
<leafNode name="security-mode">
<properties>
<help>Security mode for TACACS+ authentication</help>
<completionHelp>
<list>mandatory optional</list>
</completionHelp>
<valueHelp>
<format>mandatory</format>
<description>Deny access immediately if TACACS+ answers with REJECT</description>
</valueHelp>
<valueHelp>
<format>optional</format>
<description>Pass to the next authentication method if TACACS+ answers with REJECT</description>
</valueHelp>
<constraint>
<regex>(mandatory|optional)</regex>
</constraint>
</properties>
<defaultValue>optional</defaultValue>
</leafNode>
#include <include/source-address-ipv4.xml.i>
#include <include/radius-timeout.xml.i>
#include <include/interface/vrf.xml.i>
</children>
</node>
<leafNode name="max-login-session">
<properties>
<help>Maximum number of all login sessions</help>
<valueHelp>
<format>u32:1-65536</format>
<description>Maximum number of all login sessions</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-65536"/>
</constraint>
<constraintErrorMessage>Maximum logins must be between 1 and 65536</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="timeout">
<properties>
<help>Session timeout</help>
<valueHelp>
<format>u32:5-604800</format>
<description>Session timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 5-604800"/>
</constraint>
<constraintErrorMessage>Timeout must be between 5 and 604800 seconds</constraintErrorMessage>
</properties>
</leafNode>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/smoketest/scripts/cli/base_accel_ppp_test.py b/smoketest/scripts/cli/base_accel_ppp_test.py
index 383adc445..ab723e707 100644
--- a/smoketest/scripts/cli/base_accel_ppp_test.py
+++ b/smoketest/scripts/cli/base_accel_ppp_test.py
@@ -1,607 +1,630 @@
# Copyright (C) 2020-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import re
from base_vyostest_shim import VyOSUnitTestSHIM
from configparser import ConfigParser
from vyos.configsession import ConfigSessionError
from vyos.template import is_ipv4
from vyos.cpu import get_core_count
from vyos.utils.process import process_named_running
from vyos.utils.process import cmd
class BasicAccelPPPTest:
class TestCase(VyOSUnitTestSHIM.TestCase):
@classmethod
def setUpClass(cls):
cls._process_name = "accel-pppd"
super(BasicAccelPPPTest.TestCase, cls).setUpClass()
# ensure we can also run this test on a live system - so lets clean
# out the current configuration :)
cls.cli_delete(cls, cls._base_path)
def setUp(self):
self._gateway = "192.0.2.1"
# ensure we can also run this test on a live system - so lets clean
# out the current configuration :)
self.cli_delete(self._base_path)
def tearDown(self):
# Check for running process
self.assertTrue(process_named_running(self._process_name))
self.cli_delete(self._base_path)
self.cli_commit()
# Check for running process
self.assertFalse(process_named_running(self._process_name))
def set(self, path):
self.cli_set(self._base_path + path)
def delete(self, path):
self.cli_delete(self._base_path + path)
def basic_protocol_specific_config(self):
"""
An astract method.
Initialize protocol scpecific configureations.
"""
self.assertFalse(True, msg="Function must be defined")
def initial_auth_config(self):
"""
Initialization of default authentication for all protocols
"""
self.set(
[
"authentication",
"local-users",
"username",
"vyos",
"password",
"vyos",
]
)
self.set(["authentication", "mode", "local"])
def initial_gateway_config(self):
"""
Initialization of default gateway
"""
self.set(["gateway-address", self._gateway])
def initial_pool_config(self):
"""
Initialization of default client ip pool
"""
first_pool = "SIMPLE-POOL"
self.set(["client-ip-pool", first_pool, "range", "192.0.2.0/24"])
self.set(["default-pool", first_pool])
def basic_config(self, is_auth=True, is_gateway=True, is_client_pool=True):
"""
Initialization of basic configuration
:param is_auth: authentication initialization
:type is_auth: bool
:param is_gateway: gateway initialization
:type is_gateway: bool
:param is_client_pool: client ip pool initialization
:type is_client_pool: bool
"""
self.basic_protocol_specific_config()
if is_auth:
self.initial_auth_config()
if is_gateway:
self.initial_gateway_config()
if is_client_pool:
self.initial_pool_config()
def getConfig(self, start, end="cli"):
"""
Return part of configuration from line
where the first injection of start keyword to the line
where the first injection of end keyowrd
:param start: start keyword
:type start: str
:param end: end keyword
:type end: str
:return: part of config
:rtype: str
"""
command = f'cat {self._config_file} | sed -n "/^\[{start}/,/^\[{end}/p"'
out = cmd(command)
return out
def verify(self, conf):
self.assertEqual(conf["core"]["thread-count"], str(get_core_count()))
def test_accel_name_servers(self):
# Verify proper Name-Server configuration for IPv4 and IPv6
self.basic_config()
nameserver = ["192.0.2.1", "192.0.2.2", "2001:db8::1"]
for ns in nameserver:
self.set(["name-server", ns])
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
conf.read(self._config_file)
# IPv4 and IPv6 nameservers must be checked individually
for ns in nameserver:
if is_ipv4(ns):
self.assertIn(ns, [conf["dns"]["dns1"], conf["dns"]["dns2"]])
else:
self.assertEqual(conf["ipv6-dns"][ns], None)
def test_accel_local_authentication(self):
# Test configuration of local authentication
self.basic_config()
# upload / download limit
user = "test"
password = "test2"
static_ip = "100.100.100.101"
upload = "5000"
download = "10000"
self.set(
[
"authentication",
"local-users",
"username",
user,
"password",
password,
]
)
self.set(
[
"authentication",
"local-users",
"username",
user,
"static-ip",
static_ip,
]
)
self.set(
[
"authentication",
"local-users",
"username",
user,
"rate-limit",
"upload",
upload,
]
)
# upload rate-limit requires also download rate-limit
with self.assertRaises(ConfigSessionError):
self.cli_commit()
self.set(
[
"authentication",
"local-users",
"username",
user,
"rate-limit",
"download",
download,
]
)
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
conf.read(self._config_file)
# check proper path to chap-secrets file
self.assertEqual(conf["chap-secrets"]["chap-secrets"], self._chap_secrets)
# basic verification
self.verify(conf)
# check local users
tmp = cmd(f"sudo cat {self._chap_secrets}")
regex = f"{user}\s+\*\s+{password}\s+{static_ip}\s+{download}/{upload}"
tmp = re.findall(regex, tmp)
self.assertTrue(tmp)
# Check local-users default value(s)
self.delete(
["authentication", "local-users", "username", user, "static-ip"]
)
# commit changes
self.cli_commit()
# check local users
tmp = cmd(f"sudo cat {self._chap_secrets}")
regex = f"{user}\s+\*\s+{password}\s+\*\s+{download}/{upload}"
tmp = re.findall(regex, tmp)
self.assertTrue(tmp)
def test_accel_radius_authentication(self):
# Test configuration of RADIUS authentication for PPPoE server
self.basic_config()
radius_server = "192.0.2.22"
radius_key = "secretVyOS"
radius_port = "2000"
radius_port_acc = "3000"
acct_interim_jitter = '10'
acct_interim_interval = '10'
acct_timeout = '30'
self.set(["authentication", "mode", "radius"])
self.set(
["authentication", "radius", "server", radius_server, "key", radius_key]
)
self.set(
[
"authentication",
"radius",
"server",
radius_server,
"port",
radius_port,
]
)
self.set(
[
"authentication",
"radius",
"server",
radius_server,
"acct-port",
radius_port_acc,
]
)
self.set(
[
"authentication",
"radius",
"acct-interim-jitter",
acct_interim_jitter,
]
)
self.set(
[
"authentication",
"radius",
"accounting-interim-interval",
acct_interim_interval,
]
)
self.set(
[
"authentication",
"radius",
"acct-timeout",
acct_timeout,
]
)
coa_server = "4.4.4.4"
coa_key = "testCoA"
self.set(
["authentication", "radius", "dynamic-author", "server", coa_server]
)
self.set(["authentication", "radius", "dynamic-author", "key", coa_key])
nas_id = "VyOS-PPPoE"
nas_ip = "7.7.7.7"
self.set(["authentication", "radius", "nas-identifier", nas_id])
self.set(["authentication", "radius", "nas-ip-address", nas_ip])
source_address = "1.2.3.4"
self.set(["authentication", "radius", "source-address", source_address])
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
conf.read(self._config_file)
# basic verification
self.verify(conf)
# check auth
self.assertTrue(conf["radius"].getboolean("verbose"))
self.assertEqual(conf["radius"]["acct-timeout"], acct_timeout)
self.assertEqual(conf["radius"]["acct-interim-interval"], acct_interim_interval)
self.assertEqual(conf["radius"]["acct-interim-jitter"], acct_interim_jitter)
self.assertEqual(conf["radius"]["timeout"], "3")
self.assertEqual(conf["radius"]["max-try"], "3")
self.assertEqual(
conf["radius"]["dae-server"], f"{coa_server}:1700,{coa_key}"
)
self.assertEqual(conf["radius"]["nas-identifier"], nas_id)
self.assertEqual(conf["radius"]["nas-ip-address"], nas_ip)
self.assertEqual(conf["radius"]["bind"], source_address)
server = conf["radius"]["server"].split(",")
self.assertEqual(radius_server, server[0])
self.assertEqual(radius_key, server[1])
self.assertEqual(f"auth-port={radius_port}", server[2])
self.assertEqual(f"acct-port={radius_port_acc}", server[3])
self.assertEqual(f"req-limit=0", server[4])
self.assertEqual(f"fail-time=0", server[5])
#
# Disable Radius Accounting
#
self.delete(
["authentication", "radius", "server", radius_server, "acct-port"]
)
self.set(
[
"authentication",
"radius",
"server",
radius_server,
"disable-accounting",
]
)
+ self.set(
+ [
+ "authentication",
+ "radius",
+ "server",
+ radius_server,
+ "backup",
+ ]
+ )
+
+ self.set(
+ [
+ "authentication",
+ "radius",
+ "server",
+ radius_server,
+ "priority",
+ "10",
+ ]
+ )
+
# commit changes
self.cli_commit()
conf.read(self._config_file)
server = conf["radius"]["server"].split(",")
self.assertEqual(radius_server, server[0])
self.assertEqual(radius_key, server[1])
self.assertEqual(f"auth-port={radius_port}", server[2])
self.assertEqual(f"acct-port=0", server[3])
self.assertEqual(f"req-limit=0", server[4])
self.assertEqual(f"fail-time=0", server[5])
+ self.assertIn('weight=10', server)
+ self.assertIn('backup', server)
def test_accel_ipv4_pool(self):
self.basic_config(is_gateway=False, is_client_pool=False)
gateway = "192.0.2.1"
subnet = "172.16.0.0/24"
first_pool = "POOL1"
second_pool = "POOL2"
range = "192.0.2.10-192.0.2.20"
range_config = "192.0.2.10-20"
self.set(["gateway-address", gateway])
self.set(["client-ip-pool", first_pool, "range", subnet])
self.set(["client-ip-pool", first_pool, "next-pool", second_pool])
self.set(["client-ip-pool", second_pool, "range", range])
self.set(["default-pool", first_pool])
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
conf.read(self._config_file)
self.assertEqual(
f"{first_pool},next={second_pool}", conf["ip-pool"][f"{subnet},name"]
)
self.assertEqual(second_pool, conf["ip-pool"][f"{range_config},name"])
self.assertEqual(gateway, conf["ip-pool"]["gw-ip-address"])
self.assertEqual(first_pool, conf[self._protocol_section]["ip-pool"])
def test_accel_next_pool(self):
# T5099 required specific order
self.basic_config(is_gateway=False, is_client_pool=False)
gateway = "192.0.2.1"
first_pool = "VyOS-pool1"
first_subnet = "192.0.2.0/25"
second_pool = "Vyos-pool2"
second_subnet = "203.0.113.0/25"
third_pool = "Vyos-pool3"
third_subnet = "198.51.100.0/24"
self.set(["gateway-address", gateway])
self.set(["client-ip-pool", first_pool, "range", first_subnet])
self.set(["client-ip-pool", first_pool, "next-pool", second_pool])
self.set(["client-ip-pool", second_pool, "range", second_subnet])
self.set(["client-ip-pool", second_pool, "next-pool", third_pool])
self.set(["client-ip-pool", third_pool, "range", third_subnet])
# commit changes
self.cli_commit()
config = self.getConfig("ip-pool")
pool_config = f"""gw-ip-address={gateway}
{third_subnet},name={third_pool}
{second_subnet},name={second_pool},next={third_pool}
{first_subnet},name={first_pool},next={second_pool}"""
self.assertIn(pool_config, config)
def test_accel_ipv6_pool(self):
# Test configuration of IPv6 client pools
self.basic_config(is_gateway=False, is_client_pool=False)
# Enable IPv6
allow_ipv6 = 'allow'
self.set(['ppp-options', 'ipv6', allow_ipv6])
pool_name = 'ipv6_test_pool'
prefix_1 = '2001:db8:fffe::/56'
prefix_mask = '64'
prefix_2 = '2001:db8:ffff::/56'
client_prefix_1 = f'{prefix_1},{prefix_mask}'
client_prefix_2 = f'{prefix_2},{prefix_mask}'
self.set(
['client-ipv6-pool', pool_name, 'prefix', prefix_1, 'mask',
prefix_mask])
self.set(
['client-ipv6-pool', pool_name, 'prefix', prefix_2, 'mask',
prefix_mask])
delegate_1_prefix = '2001:db8:fff1::/56'
delegate_2_prefix = '2001:db8:fff2::/56'
delegate_mask = '64'
self.set(
['client-ipv6-pool', pool_name, 'delegate', delegate_1_prefix,
'delegation-prefix', delegate_mask])
self.set(
['client-ipv6-pool', pool_name, 'delegate', delegate_2_prefix,
'delegation-prefix', delegate_mask])
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True, delimiters='=',
strict=False)
conf.read(self._config_file)
for tmp in ['ipv6pool', 'ipv6_nd', 'ipv6_dhcp']:
self.assertEqual(conf['modules'][tmp], None)
self.assertEqual(conf['ppp']['ipv6'], allow_ipv6)
config = self.getConfig("ipv6-pool")
pool_config = f"""{client_prefix_1},name={pool_name}
{client_prefix_2},name={pool_name}
delegate={delegate_1_prefix},{delegate_mask},name={pool_name}
delegate={delegate_2_prefix},{delegate_mask},name={pool_name}"""
self.assertIn(pool_config, config)
def test_accel_ppp_options(self):
# Test configuration of local authentication for PPPoE server
self.basic_config()
# other settings
mppe = 'require'
self.set(['ppp-options', 'disable-ccp'])
self.set(['ppp-options', 'mppe', mppe])
# min-mtu
min_mtu = '1400'
self.set(['ppp-options', 'min-mtu', min_mtu])
# mru
mru = '9000'
self.set(['ppp-options', 'mru', mru])
# interface-cache
interface_cache = '128000'
self.set(['ppp-options', 'interface-cache', interface_cache])
# ipv6
allow_ipv6 = 'allow'
allow_ipv4 = 'require'
random = 'random'
lcp_failure = '4'
lcp_interval = '40'
lcp_timeout = '100'
self.set(['ppp-options', 'ipv4', allow_ipv4])
self.set(['ppp-options', 'ipv6', allow_ipv6])
self.set(['ppp-options', 'ipv6-interface-id', random])
self.set(['ppp-options', 'ipv6-accept-peer-interface-id'])
self.set(['ppp-options', 'ipv6-peer-interface-id', random])
self.set(['ppp-options', 'lcp-echo-failure', lcp_failure])
self.set(['ppp-options', 'lcp-echo-interval', lcp_interval])
self.set(['ppp-options', 'lcp-echo-timeout', lcp_timeout])
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True, delimiters='=')
conf.read(self._config_file)
self.assertEqual(conf['chap-secrets']['gw-ip-address'], self._gateway)
# check ppp
self.assertEqual(conf['ppp']['mppe'], mppe)
self.assertEqual(conf['ppp']['min-mtu'], min_mtu)
self.assertEqual(conf['ppp']['mru'], mru)
self.assertEqual(conf['ppp']['ccp'],'0')
# check interface-cache
self.assertEqual(conf['ppp']['unit-cache'], interface_cache)
#check ipv6
for tmp in ['ipv6pool', 'ipv6_nd', 'ipv6_dhcp']:
self.assertEqual(conf['modules'][tmp], None)
self.assertEqual(conf['ppp']['ipv6'], allow_ipv6)
self.assertEqual(conf['ppp']['ipv6-intf-id'], random)
self.assertEqual(conf['ppp']['ipv6-peer-intf-id'], random)
self.assertTrue(conf['ppp'].getboolean('ipv6-accept-peer-intf-id'))
self.assertEqual(conf['ppp']['lcp-echo-failure'], lcp_failure)
self.assertEqual(conf['ppp']['lcp-echo-interval'], lcp_interval)
self.assertEqual(conf['ppp']['lcp-echo-timeout'], lcp_timeout)
def test_accel_wins_server(self):
self.basic_config()
winsservers = ["192.0.2.1", "192.0.2.2"]
for wins in winsservers:
self.set(["wins-server", wins])
self.cli_commit()
conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
conf.read(self._config_file)
for ws in winsservers:
self.assertIn(ws, [conf["wins"]["wins1"], conf["wins"]["wins2"]])
def test_accel_snmp(self):
self.basic_config()
self.set(['snmp', 'master-agent'])
self.cli_commit()
conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
conf.read(self._config_file)
self.assertEqual(conf['modules']['net-snmp'], None)
self.assertEqual(conf['snmp']['master'],'1')
def test_accel_shaper(self):
self.basic_config()
fwmark = '2'
self.set(['shaper', 'fwmark', fwmark])
self.cli_commit()
conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
conf.read(self._config_file)
self.assertEqual(conf['modules']['shaper'], None)
self.assertEqual(conf['shaper']['verbose'], '1')
self.assertEqual(conf['shaper']['down-limiter'], 'tbf')
self.assertEqual(conf['shaper']['fwmark'], fwmark)
def test_accel_limits(self):
self.basic_config()
burst = '100'
timeout = '20'
limits = '1/min'
self.set(['limits', 'connection-limit', limits])
self.set(['limits', 'timeout', timeout])
self.set(['limits', 'burst', burst])
self.cli_commit()
conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
conf.read(self._config_file)
self.assertEqual(conf['modules']['connlimit'], None)
self.assertEqual(conf['connlimit']['limit'], limits)
self.assertEqual(conf['connlimit']['burst'], burst)
self.assertEqual(conf['connlimit']['timeout'], timeout)
diff --git a/smoketest/scripts/cli/test_vpn_l2tp.py b/smoketest/scripts/cli/test_vpn_l2tp.py
index 8c4e53895..07a7e2906 100755
--- a/smoketest/scripts/cli/test_vpn_l2tp.py
+++ b/smoketest/scripts/cli/test_vpn_l2tp.py
@@ -1,100 +1,123 @@
#!/usr/bin/env python3
#
# Copyright (C) 2023-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import unittest
from base_accel_ppp_test import BasicAccelPPPTest
from configparser import ConfigParser
from vyos.utils.process import cmd
class TestVPNL2TPServer(BasicAccelPPPTest.TestCase):
@classmethod
def setUpClass(cls):
cls._base_path = ['vpn', 'l2tp', 'remote-access']
cls._config_file = '/run/accel-pppd/l2tp.conf'
cls._chap_secrets = '/run/accel-pppd/l2tp.chap-secrets'
cls._protocol_section = 'l2tp'
# call base-classes classmethod
super(TestVPNL2TPServer, cls).setUpClass()
@classmethod
def tearDownClass(cls):
super(TestVPNL2TPServer, cls).tearDownClass()
def basic_protocol_specific_config(self):
pass
def test_l2tp_server_authentication_protocols(self):
# Test configuration of local authentication protocols
self.basic_config()
# explicitly test mschap-v2 - no special reason
self.set( ['authentication', 'protocols', 'mschap-v2'])
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True)
conf.read(self._config_file)
self.assertEqual(conf['modules']['auth_mschap_v2'], None)
def test_vpn_l2tp_dependence_ipsec_swanctl(self):
# Test config vpn for tasks T3843 and T5926
base_path = ['vpn', 'l2tp', 'remote-access']
# make precondition
self.cli_set(['interfaces', 'dummy', 'dum0', 'address', '203.0.113.1/32'])
self.cli_set(['vpn', 'ipsec', 'interface', 'dum0'])
self.cli_commit()
# check ipsec apply to swanctl
self.assertEqual('', cmd('echo vyos | sudo -S swanctl -L '))
self.cli_set(base_path + ['authentication', 'local-users', 'username', 'foo', 'password', 'bar'])
self.cli_set(base_path + ['authentication', 'mode', 'local'])
self.cli_set(base_path + ['authentication', 'protocols', 'chap'])
self.cli_set(base_path + ['client-ip-pool', 'first', 'range', '10.200.100.100-10.200.100.110'])
self.cli_set(base_path + ['description', 'VPN - REMOTE'])
self.cli_set(base_path + ['name-server', '1.1.1.1'])
self.cli_set(base_path + ['ipsec-settings', 'authentication', 'mode', 'pre-shared-secret'])
self.cli_set(base_path + ['ipsec-settings', 'authentication', 'pre-shared-secret', 'SeCret'])
self.cli_set(base_path + ['ipsec-settings', 'ike-lifetime', '8600'])
self.cli_set(base_path + ['ipsec-settings', 'lifetime', '3600'])
self.cli_set(base_path + ['outside-address', '203.0.113.1'])
self.cli_set(base_path + ['gateway-address', '203.0.113.1'])
self.cli_commit()
# check l2tp apply to swanctl
self.assertTrue('l2tp_remote_access:' in cmd('echo vyos | sudo -S swanctl -L '))
self.cli_delete(['vpn', 'l2tp'])
self.cli_commit()
# check l2tp apply to swanctl after delete config
self.assertEqual('', cmd('echo vyos | sudo -S swanctl -L '))
# need to correct tearDown test
self.basic_config()
self.cli_set(base_path + ['authentication', 'protocols', 'chap'])
self.cli_commit()
+ def test_l2tp_radius_server(self):
+ base_path = ['vpn', 'l2tp', 'remote-access']
+ radius_server = "192.0.2.22"
+ radius_key = "secretVyOS"
+
+ self.cli_set(base_path + ['authentication', 'mode', 'radius'])
+ self.cli_set(base_path + ['gateway-address', '192.0.2.1'])
+ self.cli_set(base_path + ['client-ip-pool', 'SIMPLE-POOL', 'range', '192.0.2.0/24'])
+ self.cli_set(base_path + ['default-pool', 'SIMPLE-POOL'])
+ self.cli_set(base_path + ['authentication', 'radius', 'server', radius_server, 'key', radius_key])
+ self.cli_set(base_path + ['authentication', 'radius', 'server', radius_server, 'priority', '10'])
+ self.cli_set(base_path + ['authentication', 'radius', 'server', radius_server, 'backup'])
+
+ # commit changes
+ self.cli_commit()
+
+ # Validate configuration values
+ conf = ConfigParser(allow_no_value=True)
+ conf.read(self._config_file)
+ server = conf["radius"]["server"].split(",")
+ self.assertIn('weight=10', server)
+ self.assertIn('backup', server)
+
if __name__ == '__main__':
unittest.main(verbosity=2)