[strongSwan] Integrating radius with strongswan.

Martin Willi martin at strongswan.org
Mon Feb 18 15:44:15 CET 2013


Hi Azfar,

> I am using Strongswan 4.5.2 (Debian Squeeze) with xauthrsasig auth type.
> Now I want to replace ipsec.secrets and put a radius server.

In 4.5.2, IKEv1 is handled in the "pluto" daemon. Pluto does not have
support for RADIUS authentication.

With strongSwan 5.x, we reimplemented IKEv1 in the newer "charon" daemon
which also supports IKEv2. With its eap-radius backend and the xauth-eap
bridge, you can authenticate XAuth clients against RADIUS. It requires a
RADIUS server that speaks EAP, though. See [1] for details.

> 1) Can I still use xauth+rsa as a auth mechanism with eap-radius plugin.

With the xauth-eap helper plugin, yes.

> 2) Do I need to recompile strongswan for eap-radius plugin or Debian 6
> comes with it.

You need at least 5.0.0, better 5.0.2, which doesn't come with Debian
yet. Also, you need the eap-radius and the xauth-eap plugins, along with
a suitable EAP method.

> 3) I want to use single server for both radius and strongswan, what is
> the role of strongswan.conf in *"alice"*?

Alice is the RADIUS server in this example, so you won't need it. You
can install your RADIUS server on moon, and configure eap-radius to use
the local RADIUS server.

Regards
Martin

[1]http://wiki.strongswan.org/projects/strongswan/wiki/XAuthEAP





More information about the Users mailing list