VPN: IPsec: Connections - remote authentication. Add support for radi…

…us class groups. closes #6826

Add groups attribute to remote auth, to avoid random input hook the names to our local account management and require the user to create a local group first, which is similar to other areas of our system. We don't have to store the membership in this case in our local user db.

Only enable "class_group" attribute when there is at least one enabled connection using these groups.

src/etc/inc/plugins.inc.d/ipsec.inc

@@ -1061,7 +1061,8 @@ function ipsec_write_strongswan_conf()
     if (empty($radius_auth_servers) && !empty($a_client['radius_source'])) {
         $radius_auth_servers = $a_client['radius_source'];
     }
-    if ((isset($a_client['enable']) || (new \OPNsense\IPsec\Swanctl())->isEnabled()) && !empty($radius_auth_servers)) {
+    $mdl = new \OPNsense\IPsec\Swanctl();
+    if ((isset($a_client['enable']) || $mdl->isEnabled()) && !empty($radius_auth_servers)) {
         $disable_xauth = true; // disable Xauth when radius is used.
         $strongswanTree['charon']['plugins']['eap-radius'] = [];
         $strongswanTree['charon']['plugins']['eap-radius']['servers'] = [];
@@ -1090,6 +1091,9 @@ function ipsec_write_strongswan_conf()
         if ($radius_accounting_enabled) {
             $strongswanTree['charon']['plugins']['eap-radius']['accounting'] = 'yes';
         }
+        if ($mdl->radiusUsesGroups()) {
+            $strongswanTree['charon']['plugins']['eap-radius']['class_group'] = 'yes';
+        }
     }
     if ((isset($a_client['enable']) && !$disable_xauth) || (new \OPNsense\IPsec\Swanctl())->isEnabled()) {
         $strongswanTree['charon']['plugins']['xauth-pam'] = [

src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/dialogRemote.xml

@@ -41,6 +41,13 @@
         <help>Client EAP-Identity to use in EAP-Identity exchange and the EAP method. If set to %any the EAP-Identity method will be used to ask the client for an EAP identity.</help>
         <style>remote_auth remote_auth_eap-mschapv2 remote_auth_eap-tls remote_auth_eap-radius</style>
     </field>
+    <field>
+        <id>remote.groups</id>
+        <label>Groups</label>
+        <type>select_multiple</type>
+        <help>List of group memberships to require. The client must prove membership to at least one of the specified groups.</help>
+        <style>selectpicker remote_auth remote_auth_eap-radius</style>
+    </field>
     <field>
       <id>remote.certs</id>
       <label>Certificates</label>

src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php

@@ -301,4 +301,25 @@ public function getUsedCertrefs()
         }
         return $certrefs;
     }
+
+    /**
+     * @return bool is there at least one connection using radius groups?
+     */
+    public function radiusUsesGroups()
+    {
+        foreach ($this->remotes->iterateRecursiveItems() as $node) {
+            if ($node->getInternalXMLTagName() == 'auth' && (string)$node == 'eap-radius') {
+                $auth = $node->getParentNode();
+                $connid = (string)$auth->connection;
+                if (
+                    !empty((string)$auth->groups) &&
+                    isset($this->Connections->Connection->$connid) &&
+                    !empty((string)$this->Connections->Connection->$connid->enabled)
+                ) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
 }

src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml

@@ -200,6 +200,9 @@
                 <eap_id type="TextField">
                     <Mask>/^([0-9a-zA-Z\.\-,_\:\@\%]){0,1024}$/u</Mask>
                 </eap_id>
+                <groups type="AuthGroupField">
+                    <Multiple>Y</Multiple>
+                </groups>
                 <certs type="CertificateField">
                     <Multiple>Y</Multiple>
                     <ValidationMessage>Please select a valid certificate from the list</ValidationMessage>