From 82f79177af7e071d668e11c9eeefdb5157d8903b Mon Sep 17 00:00:00 2001 From: mazora Date: Mon, 24 Jun 2024 14:16:31 +0300 Subject: [PATCH 1/2] Add new radius configuration command "config radius require-message-authenticator" Also include this new option in the show command "show radius" --- config/aaa.py | 16 +++++++++++++++- show/main.py | 3 ++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/config/aaa.py b/config/aaa.py index fdb784dc4a..436b183145 100644 --- a/config/aaa.py +++ b/config/aaa.py @@ -485,6 +485,17 @@ def statistics(option): radius.add_command(statistics) +@click.command("require-message-authenticator") +@click.argument('option', type=click.Choice(["enable", "disable"])) +def require_message_authenticator(option): + """Specify RADIUS client configuration option for requiring message-authenticator attribute in all request-access packets""" + if option == 'enable': + add_table_kv('RADIUS', 'global', 'require_message_authenticator', True) + elif option == 'disable': + add_table_kv('RADIUS', 'global', 'require_message_authenticator', False) +radius.add_command(require_message_authenticator) + + # cmd: radius add --retransmit COUNT --timeout SECOND --key SECRET --type TYPE --auth-port PORT --pri PRIORITY @click.command() @click.argument('address', metavar='') @@ -496,7 +507,8 @@ def statistics(option): @click.option('-p', '--pri', help="Priority, default 1", type=click.IntRange(1, 64), default=1) @click.option('-m', '--use-mgmt-vrf', help="Management vrf, default is no vrf", is_flag=True) @click.option('-s', '--source-interface', help='Source Interface') -def add(address, retransmit, timeout, key, auth_type, auth_port, pri, use_mgmt_vrf, source_interface): +@click.option('-u', '--require-message-authenticator', help='Discards access-accept, access-reject, and access-challenge packets that do not contain a Message-Authenticator attribute', is_flag=True) +def add(address, retransmit, timeout, key, auth_type, auth_port, pri, use_mgmt_vrf, source_interface, require_message_authenticator): """Specify a RADIUS server""" if ADHOC_VALIDATION: @@ -531,6 +543,8 @@ def add(address, retransmit, timeout, key, auth_type, auth_port, pri, use_mgmt_v data['passkey'] = key if use_mgmt_vrf : data['vrf'] = "mgmt" + if message_authenticator_flag: + data['require_message_authenticator'] = True if ADHOC_VALIDATION: if source_interface : if (source_interface.startswith("Ethernet") or \ diff --git a/show/main.py b/show/main.py index c4d99b8eab..3f2449e1dd 100755 --- a/show/main.py +++ b/show/main.py @@ -1926,7 +1926,8 @@ def radius(db): 'auth_type': 'pap (default)', 'retransmit': '3 (default)', 'timeout': '5 (default)', - 'passkey': ' (default)' + 'passkey': ' (default)', + 'require_message_authenticator': 'disable (default)' } } if 'global' in data: From 084ad3afdf9a411521bd95017b8c8c440203d33c Mon Sep 17 00:00:00 2001 From: mazora Date: Tue, 2 Jul 2024 11:27:05 +0300 Subject: [PATCH 2/2] Fixed if statement to correct variable name --- config/aaa.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/aaa.py b/config/aaa.py index 436b183145..6a1f6321de 100644 --- a/config/aaa.py +++ b/config/aaa.py @@ -543,7 +543,7 @@ def add(address, retransmit, timeout, key, auth_type, auth_port, pri, use_mgmt_v data['passkey'] = key if use_mgmt_vrf : data['vrf'] = "mgmt" - if message_authenticator_flag: + if require_message_authenticator: data['require_message_authenticator'] = True if ADHOC_VALIDATION: if source_interface :