T5756: L2TP RADIUS backup and weight settings

data/templates/accel-ppp/config_chap_secrets_radius.j2

@@ -5,7 +5,20 @@ chap-secrets={{ chap_secrets_file }}
 [radius]
 verbose=1
 {%     for server, options in authentication.radius.server.items() if not options.disable is vyos_defined %}
-server={{ server }},{{ options.key }},auth-port={{ options.port }},acct-port={{ options.acct_port }},req-limit=0,fail-time={{ options.fail_time }}
+{%         set _server_cfg = "server=" %}
+{%         set _server_cfg = _server_cfg + server %}
+{%         set _server_cfg = _server_cfg + "," + options.key %}
+{%         set _server_cfg = _server_cfg + ",auth-port=" + options.port %}
+{%         set _server_cfg = _server_cfg + ",acct-port=" + options.acct_port %}
+{%         set _server_cfg = _server_cfg + ",req-limit=0" %}
+{%         set _server_cfg = _server_cfg + ",fail-time=" + options.fail_time %}
+{%         if options.priority is vyos_defined %}
+{%             set _server_cfg = _server_cfg + ",weight=" + options.priority %}
+{%         endif %}
+{%         if options.backup is vyos_defined %}
+{%             set _server_cfg = _server_cfg + ",backup" %}
+{%         endif %}
+{{ _server_cfg }}
 {%     endfor %}
 {%     if authentication.radius.accounting_interim_interval is vyos_defined %}
 acct-interim-interval={{ authentication.radius.accounting_interim_interval }}

interface-definitions/include/accel-ppp/radius-additions.xml.i

@@ -57,6 +57,13 @@
           </properties>
           <defaultValue>0</defaultValue>
         </leafNode>
+        #include <include/radius-priority.xml.i>
+        <leafNode name="backup">
+          <properties>
+            <help>Use backup server if other servers are not available</help>
+            <valueless/>
+          </properties>
+        </leafNode>
       </children>
     </tagNode>
     <leafNode name="timeout">

interface-definitions/include/radius-priority.xml.i

@@ -0,0 +1,14 @@
+<!-- include start from radius-priority.xml.i -->
+<leafNode name="priority">
+  <properties>
+    <help>Server priority</help>
+    <valueHelp>
+      <format>u32:1-255</format>
+      <description>Server priority</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-255"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->

interface-definitions/system_login.xml.in

@@ -202,17 +202,8 @@
               <tagNode name="server">
                 <children>
                   #include <include/radius-timeout.xml.i>
+                  #include <include/radius-priority.xml.i>
                   <leafNode name="priority">
-                    <properties>
-                      <help>Server priority</help>
-                      <valueHelp>
-                        <format>u32:1-255</format>
-                        <description>Server priority</description>
-                      </valueHelp>
-                      <constraint>
-                        <validator name="numeric" argument="--range 1-255"/>
-                      </constraint>
-                    </properties>
                     <defaultValue>255</defaultValue>
                   </leafNode>
                 </children>

smoketest/scripts/cli/base_accel_ppp_test.py

@@ -367,6 +367,27 @@ def test_accel_radius_authentication(self):
                 ]
             )
 
+            self.set(
+                [
+                    "authentication",
+                    "radius",
+                    "server",
+                    radius_server,
+                    "backup",
+                ]
+            )
+
+            self.set(
+                [
+                    "authentication",
+                    "radius",
+                    "server",
+                    radius_server,
+                    "priority",
+                    "10",
+                ]
+            )
+
             # commit changes
             self.cli_commit()
 
@@ -379,6 +400,8 @@ def test_accel_radius_authentication(self):
             self.assertEqual(f"acct-port=0", server[3])
             self.assertEqual(f"req-limit=0", server[4])
             self.assertEqual(f"fail-time=0", server[5])
+            self.assertIn('weight=10', server)
+            self.assertIn('backup', server)
 
         def test_accel_ipv4_pool(self):
             self.basic_config(is_gateway=False, is_client_pool=False)

smoketest/scripts/cli/test_vpn_l2tp.py

@@ -95,6 +95,29 @@ def test_vpn_l2tp_dependence_ipsec_swanctl(self):
         self.cli_set(base_path + ['authentication', 'protocols', 'chap'])
         self.cli_commit()
 
+    def test_l2tp_radius_server(self):
+        base_path = ['vpn', 'l2tp', 'remote-access']
+        radius_server = "192.0.2.22"
+        radius_key = "secretVyOS"
+
+        self.cli_set(base_path + ['authentication', 'mode', 'radius'])
+        self.cli_set(base_path + ['gateway-address', '192.0.2.1'])
+        self.cli_set(base_path + ['client-ip-pool', 'SIMPLE-POOL', 'range', '192.0.2.0/24'])
+        self.cli_set(base_path + ['default-pool', 'SIMPLE-POOL'])
+        self.cli_set(base_path + ['authentication', 'radius', 'server', radius_server, 'key', radius_key])
+        self.cli_set(base_path + ['authentication', 'radius', 'server', radius_server, 'priority', '10'])
+        self.cli_set(base_path + ['authentication', 'radius', 'server', radius_server, 'backup'])
+
+        # commit changes
+        self.cli_commit()
+
+        # Validate configuration values
+        conf = ConfigParser(allow_no_value=True)
+        conf.read(self._config_file)
+        server = conf["radius"]["server"].split(",")
+        self.assertIn('weight=10', server)
+        self.assertIn('backup', server)
+
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)