security/openconnect: add support for OTP token generation (#2980)

2026-05-22 18:44:07 -07:00 · 2022-10-19 21:20:00 +11:00
parent 312b3552c5
commit 2aece2fee3
4 changed files with 32 additions and 0 deletions
@@ -8,6 +8,8 @@ Plugin Changelog

 1.4.3

+
+* Add support for one-time password generation
 * Permit additional characters in group name

 1.4.2
@@ -47,6 +47,18 @@
        <type>dropdown</type>
        <help>Select the client certificate to use.</help>
    </field>
+    <field>
+        <id>general.tokenmode</id>
+        <label>Token Mode</label>
+        <type>dropdown</type>
+        <help>Use a one-time password generation mode.</help>
+    </field>
+    <field>
+        <id>general.tokensecret</id>
+        <label>Token Secret</label>
+        <type>text</type>
+        <help>Enter a secret to use with one-time password generation.</help>
+    </field>
    <field>
        <id>general.protocol</id>
        <label>Protocol</label>
@@ -47,6 +47,18 @@
            <Type>cert</Type>
            <Required>N</Required>
        </clientcertificate>
+        <tokenmode type="OptionField">
+            <Required>N</Required>
+            <OptionValues>
+                <rsa>RSA SecurID</rsa>
+                <totp>TOTP</totp>
+                <hotp>HOTP</hotp>
+                <oidc>OpenIDConnect</oidc>
+            </OptionValues>
+        </tokenmode>
+        <tokensecret type="TextField">
+            <Required>N</Required>
+        </tokensecret>
        <protocol type="OptionField">
            <default>anyconnect</default>
            <multiple>N</multiple>
@@ -19,6 +19,12 @@ authgroup={{ OPNsense.openconnect.general.group }}
 certificate=/usr/local/etc/openconnect_cert.pem
 sslkey=/usr/local/etc/openconnect_key.pem
 {%   endif %}
+{%   if helpers.exists('OPNsense.openconnect.general.tokenmode') and OPNsense.openconnect.general.tokenmode != '' %}
+{%     if helpers.exists('OPNsense.openconnect.general.tokensecret') and OPNsense.openconnect.general.tokensecret != '' %}
+token-mode={{ OPNsense.openconnect.general.tokenmode }}
+token-secret={{ OPNsense.openconnect.general.tokensecret }}
+{%     endif %}
+{%   endif %}
 {%   if helpers.exists('OPNsense.openconnect.general.protocol') and OPNsense.openconnect.general.protocol != '' %}
 protocol={{ OPNsense.openconnect.general.protocol }}
 {%   endif %}