[strongSwan] User groups
Raoul Duke
rduke496 at gmail.com
Thu Nov 7 01:41:31 CET 2013
PS - the EAPRadius configuration seems to use Xauth as the primary means to
lookup users. In my case I have a user identifier in the client certifcate
common name. Could I have the Radius plugin lookup the group based on that
as the username? Or otherwise, is there another means to lookup groups
than via xauth?
I'd be happy to write a plugin to do my custom behavior if someone could
give me a pointer in the right direction. Is the eap_radius plugin a good
place to start? Or is there a simpler plugin I could look at to start
with? Do any other plugins deal with mapping incoming users to groups?
My primitive idea of what I would like to accomplish is: a plugin which
extracts the username from the common-name of the client cert, look it up
in a hash table (or file) and return a group name which can be used to
match on in traffic selectors.
Or to come at it from another direction - would an updown script be a good
place to assign a group? e.g. at the "up" stage the script goes off and
does some atrbitrary checks and sets a $GROUP variable which can be matched
on in traffic selectors? Or is it already too late to match traffic
selectors by the time it hits those scripts?
I'd appreciate any pointers/feedback.
Thanks.
On Thu, Nov 7, 2013 at 12:31 AM, Raoul Duke <rduke496 at gmail.com> wrote:
> Hi,
>
> I have dozens (potentially hundreds) of user groupings. I would like to
> assign each group an IP block/range so I can identify the groups in
> upstream proxy logs etc.
>
> I'm aware that the recommended solution for identifying users by group is:
>
> http://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius
>
> My questions are:
> 1] is the EAP Radius setup compatible with IOS clients (ikev1). I have
> read that EAP is a ikev1 concept so my assumption was that it may not work.
> Can you please clarify?
>
>
> 2] in the above Wiki the traffic selectors for each group are in the
> config file. Can the group to traffic selector mappings be configured more
> dynamically somehow/? (e.g.
> http://wiki.strongswan.org/projects/strongswan/wiki/SQL - if so is this
> a stable plugin?)
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131107/05734120/attachment.html>
More information about the Users
mailing list