diff --git a/src/sonic-host-services-data/templates/common-auth-sonic.j2 b/src/sonic-host-services-data/templates/common-auth-sonic.j2 index 7435d47644..a890556a36 100644 --- a/src/sonic-host-services-data/templates/common-auth-sonic.j2 +++ b/src/sonic-host-services-data/templates/common-auth-sonic.j2 @@ -32,7 +32,7 @@ auth [success=1 default=ignore] pam_unix.so nullok try_first_pass auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die maxtries=die' if not auth['failthrough'] }}] pam_unix.so nullok try_first_pass # For the RADIUS servers, on success jump to the cacheing the MPL(Privilege) {% for server in servers %} -auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}:{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass +auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass {% endfor %} auth requisite pam_deny.so # Cache MPL(Privilege) @@ -43,7 +43,7 @@ auth [success=1 default=ignore] pam_exec.so /usr/sbin/cache_radius auth [success={{ (servers | count) }} default=ignore] pam_succeed_if.so user = root # For the RADIUS servers, on success jump to the cache the MPL(Privilege) {% for server in servers %} -auth [success={{ (servers | count) + 1 - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}:{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass +auth [success={{ (servers | count) + 1 - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass {% endfor %} # Local auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die maxtries=die' if not auth['failthrough'] }}] pam_unix.so nullok try_first_pass @@ -56,7 +56,7 @@ auth [success=1 default=ignore] pam_exec.so /usr/sbin/cache_radius auth [success={{ (servers | count) + 2 }} default=ignore] pam_succeed_if.so user = root # For the RADIUS servers, on success jump to the cache the MPL(Privilege) {% for server in servers %} -auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}:{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass +auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass {% endfor %} auth requisite pam_deny.so # Cache MPL(Privilege) diff --git a/src/sonic-host-services/scripts/hostcfgd b/src/sonic-host-services/scripts/hostcfgd index 7f4482121d..053b78e528 100755 --- a/src/sonic-host-services/scripts/hostcfgd +++ b/src/sonic-host-services/scripts/hostcfgd @@ -458,7 +458,7 @@ class AaaCfg(object): if radsrvs_conf: for srv in radsrvs_conf: # Configuration File - pam_radius_auth_file = RADIUS_PAM_AUTH_CONF_DIR + srv['ip'] + ":" + srv['auth_port'] + ".conf" + pam_radius_auth_file = RADIUS_PAM_AUTH_CONF_DIR + srv['ip'] + "_" + srv['auth_port'] + ".conf" template_file = os.path.abspath(PAM_RADIUS_AUTH_CONF_TEMPLATE) template = env.get_template(template_file) pam_radius_auth_conf = template.render(server=srv) diff --git a/src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/10.10.10.1:1645.conf b/src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/10.10.10.1_1645.conf similarity index 100% rename from src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/10.10.10.1:1645.conf rename to src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/10.10.10.1_1645.conf diff --git a/src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/10.10.10.2:1645.conf b/src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/10.10.10.2_1645.conf similarity index 100% rename from src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/10.10.10.2:1645.conf rename to src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/10.10.10.2_1645.conf diff --git a/src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/common-auth-sonic b/src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/common-auth-sonic index 12294d0c4d..d6b148633e 100644 --- a/src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/common-auth-sonic +++ b/src/sonic-host-services/tests/hostcfgd/sample_output/RADIUS/common-auth-sonic @@ -12,8 +12,8 @@ # root user can only be authenticated locally. Jump to local. auth [success=2 default=ignore] pam_succeed_if.so user = root # For the RADIUS servers, on success jump to the cache the MPL(Privilege) -auth [success=3 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.1:1645.conf privilege_level protocol=pap retry=1 nas_ip_address=10.10.10.10 debug try_first_pass -auth [success=2 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.2:1645.conf privilege_level protocol=chap retry=2 nas_ip_address=10.10.10.10 debug try_first_pass +auth [success=3 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.1_1645.conf privilege_level protocol=pap retry=1 nas_ip_address=10.10.10.10 debug try_first_pass +auth [success=2 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.2_1645.conf privilege_level protocol=chap retry=2 nas_ip_address=10.10.10.10 debug try_first_pass # Local auth [success=done new_authtok_reqd=done default=ignore auth_err=die maxtries=die] pam_unix.so nullok try_first_pass auth requisite pam_deny.so