From e5de168c271cd24dfdad826089780a181c9deeca Mon Sep 17 00:00:00 2001
From: Alex W <embezzle.dev@proton.me>
Date: Sun, 21 Apr 2024 12:44:16 +0100
Subject: [PATCH] T6237: IPSec remote access VPN: ability to set EAP ID of
 clients

---
 data/templates/ipsec/swanctl/remote_access.j2 |  2 +-
 interface-definitions/vpn_ipsec.xml.in        | 17 +++++++++++++++++
 smoketest/scripts/cli/test_vpn_ipsec.py       |  5 +++++
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index adfa32bde79..6bced88c7c9 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -33,7 +33,7 @@
             auth = pubkey
 {% elif rw_conf.authentication.client_mode.startswith("eap") %}
             auth = {{ rw_conf.authentication.client_mode }}
-            eap_id = %any
+            eap_id = {{ '%any' if rw_conf.authentication.eap_id == 'any' else rw_conf.authentication.eap_id }}
 {% endif %}
 {% if rw_conf.authentication.client_mode is vyos_defined('eap-tls') or rw_conf.authentication.client_mode is vyos_defined('x509') %}
 {#          pass all configured CAs as filenames, separated by commas #}
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 833019d6830..08cbc66565f 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -768,6 +768,23 @@
                     <children>
                       #include <include/ipsec/authentication-id.xml.i>
                       #include <include/ipsec/authentication-x509.xml.i>
+                      <leafNode name="eap-id">
+                        <properties>
+                          <help>Remote EAP ID for client authentication</help>
+                          <valueHelp>
+                            <format>txt</format>
+                            <description>Remote EAP ID for client authentication</description>
+                          </valueHelp>
+                          <completionHelp>
+                            <list>any</list>
+                          </completionHelp>
+                          <valueHelp>
+                            <format>any</format>
+                            <description>Allow any EAP ID</description>
+                          </valueHelp>
+                        </properties>
+                        <defaultValue>any</defaultValue>
+                      </leafNode>
                       <leafNode name="client-mode">
                         <properties>
                           <help>Client authentication mode</help>
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 145b5990e37..27356d70eff 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -782,6 +782,11 @@ def test_remote_access_eap_tls(self):
         self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}.pem')))
         self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
 
+        # Test setting of custom EAP ID
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'eap-id', 'eap-user@vyos.net'])
+        self.cli_commit()
+        self.assertIn(r'eap_id = eap-user@vyos.net', read_file(swanctl_file))
+
         self.tearDownPKI()
 
     def test_remote_access_x509(self):