Multiple Radius Servers for VPN scenario (#11550)

* multiple radius initial commit

* new cmdlet

* cortex scenario

* updated tests

* rebased and PR comments

* fixed test issue

* reworked parametersets

* revert Set test

* supress a junk secret

* multiple radius initial commit

* new cmdlet

* cortex scenario

* updated tests

* rebased and PR comments

* fixed test issue

* reworked parametersets

* revert Set test

* supress a junk secret

* only allow one type of radius to be set

* help files

* filled in MD file

* suppress exception

* suppress other cmdlet signature issue

* fix

* reset static analysis and fixed new cmdlet for default parameter

* merged signatureissue fix

* fixed typo

* removed RemoveAzureSecurityPartnerProviderCommand exception as per PRcomments

* Revert "removed RemoveAzureSecurityPartnerProviderCommand exception as per PRcomments"

This reverts commit b09407e.

Author: henry416

src/Network/Network.Test/ScenarioTests/VirtualNetworkGatewayTests.cs

@@ -108,6 +108,14 @@ public void VirtualNetworkGatewayOpenVPNAADAuthTest()
             TestRunner.RunTestScript("Test-VirtualNetworkGatewayOpenVPNAADAuth");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.brooklynft_subset3)]
+        public void VirtualNetworkGatewayRadiusTest()
+        {
+            TestRunner.RunTestScript("Test-VirtualNetworkGatewayRadius");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.brooklynft_subset3)]

src/Network/Network.Test/ScenarioTests/VirtualNetworkGatewayTests.ps1

@@ -291,7 +291,7 @@ function Test-SetVirtualNetworkGatewayCRUD
       $gw1ipconfBgp1 = New-AzIpConfigurationBgpPeeringAddressObject -IpConfigurationId $ipconfigurationId1 -CustomAddress $addresslist1
       $gateway = Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway -IpConfigurationBgpPeeringAddresses $gw1ipconfBgp1
        Assert-AreEqual $ipconfigurationId1 $gateway.BgpSettings.BGPPeeringAddresses[0].IpConfigurationId
-
+      
 	  # Tags
 	  $gateway = Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway -Tag @{ testtagKey="SomeTagKey"; testtagValue="SomeKeyValue" }
 	  Assert-AreEqual 2 $gateway.Tag.Count
@@ -648,6 +648,80 @@ function Test-VirtualNetworkGatewayIkeV2
     }
 }
 
+<#
+.SYNOPSIS
+Virtual network gateway P2S radius API test
+#>
+function Test-VirtualNetworkGatewayRadius
+{
+    # Setup
+    $rgname = Get-ResourceGroupName
+    $rname = Get-ResourceName
+    $domainNameLabel = Get-ResourceName
+    $vnetName = Get-ResourceName
+    $publicIpName = Get-ResourceName
+    $vnetGatewayConfigName = Get-ResourceName
+    $rglocation = Get-ProviderLocation ResourceManagement
+    $resourceTypeParent = "Microsoft.Network/virtualNetworkGateways"
+    $location = Get-ProviderLocation $resourceTypeParent
+
+	try 
+	{
+        # Create the multiple radius servers settings
+        #[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine")]
+        $radiuspd = ConvertTo-SecureString -String "radiuspd" -AsPlainText -Force
+        $radiusServer1 = New-AzRadiusServer -RadiusServerAddress 10.1.0.1 -RadiusServerSecret $radiuspd -RadiusServerScore 30
+        $radiusServer2 = New-AzRadiusServer -RadiusServerAddress 10.1.0.2 -RadiusServerSecret $radiuspd -RadiusServerScore 1
+        $radiusServer3 = New-AzRadiusServer -RadiusServerAddress 10.1.0.3 -RadiusServerSecret $radiuspd -RadiusServerScore 15
+        $radiusServers = @( $radiusServer1, $radiusServer2 )
+
+		# Create the resource group
+		$resourceGroup = New-AzResourceGroup -Name $rgname -Location $rglocation -Tags @{ testtag = "testval" }
+	
+		# Create the Virtual Network
+		$subnet = New-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix 10.0.0.0/24
+		$vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+		$vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname      
+		$subnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
+
+		# Create the IP config
+		$publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Dynamic -DomainNameLabel $domainNameLabel
+		$vnetIpConfig = New-AzVirtualNetworkGatewayIpConfig -Name $vnetGatewayConfigName -PublicIpAddress $publicip -Subnet $subnet
+
+		# Create & Get virtualnetworkgateway
+		New-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $rname -location $location -IpConfigurations $vnetIpConfig -GatewayType Vpn -VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientAddressPool 201.169.0.0/16 -VpnClientProtocol "IkeV2" -RadiusServerList $radiusServers
+		$actual = Get-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $rname
+        Assert-AreEqual $actual.VpnClientConfiguration.RadiusServers.Count 2 
+		Assert-AreEqual $actual.VpnClientConfiguration.RadiusServers[0].RadiusServerAddress $radiusServer1.RadiusServerAddress
+		Assert-AreEqual $actual.VpnClientConfiguration.RadiusServers[0].RadiusServerScore $radiusServer1.RadiusServerScore
+		Assert-AreEqual $actual.VpnClientConfiguration.RadiusServers[1].RadiusServerAddress $radiusServer2.RadiusServerAddress
+		Assert-AreEqual $actual.VpnClientConfiguration.RadiusServers[1].RadiusServerScore $radiusServer2.RadiusServerScore
+		 
+		# Update gateway to singular radius
+        Set-AzVirtualNetworkGateway -VirtualNetworkGateway $actual -VpnClientAddressPool 201.169.0.0/16 -VpnClientProtocol "IkeV2" -RadiusServerAddress 10.1.0.2 -RadiusServerSecret $radiuspd
+        $actual = Get-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $rname
+        Assert-Null  $actual.VpnClientConfiguration.RadiusServers
+        Assert-AreEqual $actual.VpnClientConfiguration.RadiusServerAddress 10.1.0.2
+
+		# Update gateway radius settings
+        $radiusServers = @($radiusServer3, $radiusServer1)
+		Set-AzVirtualNetworkGateway -VirtualNetworkGateway $actual -VpnClientAddressPool 201.169.0.0/16 -VpnClientProtocol "IkeV2" -RadiusServerList $radiusServers
+		$actual = Get-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $rname
+        Assert-Null  $actual.VpnClientConfiguration.RadiusServerAddress
+        Assert-AreEqual $actual.VpnClientConfiguration.RadiusServers.Count 2 
+		Assert-AreEqual $actual.VpnClientConfiguration.RadiusServers[0].RadiusServerAddress $radiusServer3.RadiusServerAddress
+		Assert-AreEqual $actual.VpnClientConfiguration.RadiusServers[0].RadiusServerScore $radiusServer3.RadiusServerScore
+		Assert-AreEqual $actual.VpnClientConfiguration.RadiusServers[1].RadiusServerAddress $radiusServer1.RadiusServerAddress
+		Assert-AreEqual $actual.VpnClientConfiguration.RadiusServers[1].RadiusServerScore $radiusServer1.RadiusServerScore
+	}
+    finally
+    {
+		# Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
+
+
 <#
 .SYNOPSIS
 Virtual network gateway P2S OpenVPN API test

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.VirtualNetworkGatewayTests/VirtualNetworkGatewayRadiusTest.json

@@ -275,7 +275,7 @@ CmdletsToExport = 'Add-AzApplicationGatewayAuthenticationCertificate',
                'Set-AzPublicIpPrefix', 'Get-AzRouteTable', 'New-AzRouteTable', 
                'Remove-AzRouteTable', 'Add-AzRouteConfig', 'Get-AzRouteConfig', 
                'New-AzRouteConfig', 'Remove-AzRouteConfig', 'Set-AzRouteConfig', 
-               'Set-AzRouteTable', 'Set-AzVirtualNetworkGateway', 
+               'Set-AzRouteTable', 'New-AzRadiusServer', 'Set-AzVirtualNetworkGateway', 
                'Get-AzVirtualNetworkGateway', 'New-AzVirtualNetworkGateway', 
                'Get-AzVirtualNetworkGatewayVpnclientConnectionHealth', 
                'Get-AzVpnClientRootCertificate', 

src/Network/Network/Az.Network.psd1

@@ -87,19 +87,23 @@ public class NewAzureRmVpnServerConfigurationCommand : VpnServerConfigurationBas
         public string[] VpnClientRevokedCertificateFilesList { get; set; }
 
         [Parameter(
-            Mandatory = true,
+            Mandatory = false,
             ParameterSetName = CortexParameterSetNames.ByVpnServerConfigurationName + CortexParameterSetNames.ByRadiusAuthentication,
             HelpMessage = "P2S External Radius server address.")]
-        [ValidateNotNullOrEmpty]
         public string RadiusServerAddress { get; set; }
 
         [Parameter(
-            Mandatory = true,
+            Mandatory = false,
             ParameterSetName = CortexParameterSetNames.ByVpnServerConfigurationName + CortexParameterSetNames.ByRadiusAuthentication,
             HelpMessage = "P2S External Radius server secret.")]
-        [ValidateNotNullOrEmpty]
         public SecureString RadiusServerSecret { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            ParameterSetName = CortexParameterSetNames.ByVpnServerConfigurationName + CortexParameterSetNames.ByRadiusAuthentication,
+            HelpMessage = "P2S External multiple radius servers.")]
+        public PSRadiusServer[] RadiusServerList { get; set; }
+
         [Parameter(
             Mandatory = false,
             ParameterSetName = CortexParameterSetNames.ByVpnServerConfigurationName + CortexParameterSetNames.ByRadiusAuthentication,
@@ -172,6 +176,7 @@ public override void Execute()
                 this.VpnClientRevokedCertificateFilesList,
                 this.RadiusServerAddress,
                 this.RadiusServerSecret,
+                this.RadiusServerList,
                 this.RadiusServerRootCertificateFilesList,
                 this.RadiusClientRootCertificateFilesList,
                 this.AadTenant,

src/Network/Network/Cortex/VpnServerConfiguration/NewAzureRmVpnServerConfigurationCommand.cs

@@ -169,7 +169,6 @@ public class UpdateAzureRmVpnServerConfigurationCommand : VpnServerConfiguration
             Mandatory = false,
             ParameterSetName = CortexParameterSetNames.ByVpnServerConfigurationResourceId + CortexParameterSetNames.ByRadiusAuthentication,
             HelpMessage = "P2S External Radius server address.")]
-        [ValidateNotNullOrEmpty]
         public string RadiusServerAddress { get; set; }
 
         [Parameter(
@@ -184,9 +183,22 @@ public class UpdateAzureRmVpnServerConfigurationCommand : VpnServerConfiguration
             Mandatory = false,
             ParameterSetName = CortexParameterSetNames.ByVpnServerConfigurationResourceId + CortexParameterSetNames.ByRadiusAuthentication,
             HelpMessage = "P2S External Radius server secret.")]
-        [ValidateNotNullOrEmpty]
         public SecureString RadiusServerSecret { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            ParameterSetName = CortexParameterSetNames.ByVpnServerConfigurationName + CortexParameterSetNames.ByRadiusAuthentication,
+            HelpMessage = "P2S External multiple radius servers.")]
+        [Parameter(
+            Mandatory = false,
+            ParameterSetName = CortexParameterSetNames.ByVpnServerConfigurationObject + CortexParameterSetNames.ByRadiusAuthentication,
+            HelpMessage = "P2S External multiple radius servers.")]
+        [Parameter(
+            Mandatory = false,
+            ParameterSetName = CortexParameterSetNames.ByVpnServerConfigurationResourceId + CortexParameterSetNames.ByRadiusAuthentication,
+            HelpMessage = "P2S External multiple radius servers.")]
+        public PSRadiusServer[] RadiusServerList { get; set; }
+
         [Parameter(
             Mandatory = false,
             ParameterSetName = CortexParameterSetNames.ByVpnServerConfigurationName + CortexParameterSetNames.ByRadiusAuthentication,
@@ -364,19 +376,30 @@ public override void Execute()
             // VpnAuthenticationType = Radius related validations.
             else if (vpnServerConfigurationToUpdate.VpnAuthenticationTypes.Contains(MNM.VpnAuthenticationType.Radius))
             {
-                if (this.RadiusServerAddress != null)
+                if ((this.RadiusServerList != null && this.RadiusServerList.Count() > 0) && (this.RadiusServerAddress != null || this.RadiusServerSecret != null))
                 {
-                    vpnServerConfigurationToUpdate.RadiusServerAddress = this.RadiusServerAddress;
+                    throw new ArgumentException("Cannot configure both singular radius server and multiple radius servers at the same time.");
                 }
 
-                if (this.RadiusServerSecret != null)
+                if (RadiusServerList != null && this.RadiusServerList.Count() > 0)
                 {
-                    vpnServerConfigurationToUpdate.RadiusServerSecret = SecureStringExtensions.ConvertToString(this.RadiusServerSecret);
+                    vpnServerConfigurationToUpdate.RadiusServers = this.RadiusServerList.ToList();
+                    vpnServerConfigurationToUpdate.RadiusServerAddress = null;
+                    vpnServerConfigurationToUpdate.RadiusServerSecret = null;
                 }
-
-                if (vpnServerConfigurationToUpdate.RadiusServerAddress == null || vpnServerConfigurationToUpdate.RadiusServerSecret == null)
+                else
                 {
-                    throw new ArgumentException("Both radius server address and secret must be specified if VpnAuthenticationType is being configured as Radius.");
+                    if (this.RadiusServerAddress != null)
+                    {
+                        vpnServerConfigurationToUpdate.RadiusServerAddress = this.RadiusServerAddress;
+                    }
+
+                    if (this.RadiusServerSecret != null)
+                    {
+                        vpnServerConfigurationToUpdate.RadiusServerSecret = SecureStringExtensions.ConvertToString(this.RadiusServerSecret);
+                    }
+
+                    vpnServerConfigurationToUpdate.RadiusServers = null;
                 }
 
                 // Read the RadiusServerRootCertificates if present

src/Network/Network/Cortex/VpnServerConfiguration/UpdateAzureRmVpnServerConfigurationCommand.cs

@@ -104,6 +104,7 @@ public PSVpnServerConfiguration CreateVpnServerConfigurationObject(
             string[] vpnClientRevokedCertificateFilesList,
             string radiusServerAddress,
             SecureString radiusServerSecret,
+            PSRadiusServer[] radiusServers,
             string[] radiusServerRootCertificateFilesList,
             string[] radiusClientRootCertificateFilesList,
             string aadTenant,
@@ -172,13 +173,17 @@ public PSVpnServerConfiguration CreateVpnServerConfigurationObject(
             // VpnAuthenticationType = Radius related validations.
             else if (vpnAuthenticationType.Contains(MNM.VpnAuthenticationType.Radius))
             {
-                if (radiusServerAddress == null || radiusServerSecret == null)
+                if (radiusServerAddress != null)
                 {
-                    throw new ArgumentException("Both radius server address and secret must be specified if VpnAuthenticationType is being configured as Radius.");
+                    vpnServerConfiguration.RadiusServerAddress = radiusServerAddress;
                 }
 
-                vpnServerConfiguration.RadiusServerAddress = radiusServerAddress;
-                vpnServerConfiguration.RadiusServerSecret = SecureStringExtensions.ConvertToString(radiusServerSecret);
+                if (radiusServerSecret != null)
+                {
+                    vpnServerConfiguration.RadiusServerSecret = SecureStringExtensions.ConvertToString(radiusServerSecret);
+                }
+
+                vpnServerConfiguration.RadiusServers = radiusServers?.ToList();
 
                 // Read the RadiusServerRootCertificates if present
                 if (radiusServerRootCertificateFilesList != null)

src/Network/Network/Cortex/VpnServerConfiguration/VpnServerConfigurationBaseCmdlet.cs

@@ -48,6 +48,7 @@ public partial class PSVpnClientConfiguration
         public List<PSVpnClientRootCertificate> VpnClientRootCertificates { get; set; }
         public List<PSVpnClientRevokedCertificate> VpnClientRevokedCertificates { get; set; }
         public List<PSIpsecPolicy> VpnClientIpsecPolicies { get; set; }
+        public List<PSRadiusServer> RadiusServers { get; set; }
 
         [JsonIgnore]
         public string VpnClientProtocolsText
@@ -78,5 +79,11 @@ public string VpnClientIpsecPoliciesText
         {
             get { return JsonConvert.SerializeObject(VpnClientIpsecPolicies, Formatting.Indented, new JsonSerializerSettings() { NullValueHandling = NullValueHandling.Ignore }); }
         }
+
+        [JsonIgnore]
+        public string RadiusServersText
+        {
+            get { return JsonConvert.SerializeObject(RadiusServers, Formatting.Indented, new JsonSerializerSettings() { NullValueHandling = NullValueHandling.Ignore }); }
+        }
     }
 }

src/Network/Network/Generated/Models/PSVpnClientConfiguration.cs

@@ -41,6 +41,8 @@ public class PSVpnServerConfiguration : PSTopLevelResource
 
         public string RadiusServerSecret { get; set; }
 
+        public List<PSRadiusServer> RadiusServers { get; set; }
+
         public PSAadAuthenticationParameters AadAuthenticationParameters { get; set; }
 
         [Ps1Xml(Label = "P2SVpnGateway ids", Target = ViewControl.Table)]
@@ -61,6 +63,12 @@ public string VpnClientRevokedCertificatesText
             get { return JsonConvert.SerializeObject(VpnClientRevokedCertificates, Formatting.Indented, new JsonSerializerSettings() { NullValueHandling = NullValueHandling.Ignore }); }
         }
 
+        [JsonIgnore]
+        public string RadiusServersText
+        {
+            get { return JsonConvert.SerializeObject(RadiusServers, Formatting.Indented, new JsonSerializerSettings() { NullValueHandling = NullValueHandling.Ignore }); }
+        }
+
         [JsonIgnore]
         public string RadiusServerRootCertificatesText
         {

src/Network/Network/Models/Cortex/PSVpnServerConfiguration.cs

@@ -0,0 +1,38 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.WindowsAzure.Commands.Common.Attributes;
+
+namespace Microsoft.Azure.Commands.Network.Models
+{
+    public class PSRadiusServer
+    {
+        /// <summary>
+        /// Radius server address
+        /// </summary>
+        [Ps1Xml(Target = ViewControl.Table)]
+        public string RadiusServerAddress { get; set; }
+
+        /// <summary>
+        /// Radius server secret
+        /// </summary>
+        public string RadiusServerSecret { get; set; }
+
+        /// <summary>
+        /// Radius server score
+        /// </summary>
+        [Ps1Xml(Target = ViewControl.Table)]
+        public int RadiusServerScore { get; set; }
+    }
+}