[strongSwan] roadwarrior user groups

Paton, Andy andy.paton at hp.com
Thu Jun 27 13:40:25 CEST 2013


We are doing this using Client Certificates.

For example, we have Windows 8, Android and iOS devices, and we have two reasons for assigning different IP pools

	a) For identification of backend traffic
	b) To be able to hive users off to restriced subnets

We use different OU's  in the Client Cert to achive this, for example:

	1) OU = Sales will have access to leftsubnet 172.x.x.x and 162.x.x.x
	2) OU = Dev will only have access to leftsubnet 172.x.x.x

We basically have different connection profiles for each device / OU, and using a wildcard in the DN to allow access:

	e.g. rightid="C=EN, O=My Compnay, OU=DEV, CN*"

If you would like any more help feel free to mail me and I can share what I have learned over the last couple of weeks.

Andy Paton

-----Original Message-----
From: users-bounces+andy.paton=hp.com at lists.strongswan.org [mailto:users-bounces+andy.paton=hp.com at lists.strongswan.org] On Behalf Of Daniel Pocock
Sent: 27 June 2013 12:12
To: users at lists.strongswan.org
Subject: [strongSwan] roadwarrior user groups

Are there any specific mechanisms for grouping roadwarriors into different groups?

For example, let's say that all mobile devices are to be allocated virtual IP addresses from pool A and all laptop devices are to be allocated virtual IP addresses from pool B.

One solution appears to involve creating different CAs (or intermediate
CAs) and using the leftca or rightca parameter.  However, this is quite rigid in other ways (e.g. no device can be in two logical groups for some other purpose)

Users mailing list
Users at lists.strongswan.org

More information about the Users mailing list