[strongSwan] User groups

Martin Willi martin at strongswan.org
Thu Nov 7 10:36:30 CET 2013 

Hi Raoul,

> 1] is the EAP Radius setup compatible with IOS clients (ikev1).  I have
> read that EAP is a ikev1 concept so my assumption was that it may not work.
> Can you please clarify?

EAP is an IKEv2 concept and is not supported in IKEv1. However, IKEv1
has the XAuth extension, and the eap-radius plugin can act as an XAuth
backend as well starting with 5.1.0.

> 2] in the above Wiki the traffic selectors for each group are in the config
> file. Can the group to traffic selector mappings be configured more
> dynamically somehow/? (e.g. [...]/SQL -  if so is this a stable plugin?)

The sql plugin is stable, but there are currently no options to define
group membership requirements for connections (rightgroups). And there
is no frontend to populate your database.

> the EAPRadius configuration seems to use Xauth as the primary
> means to lookup users.  In my case I have a user identifier in the
> client certifcate common name.  Could I have the Radius plugin lookup
> the group based on that as the username?

The primary intention for eap-radius is to authenticate EAP/XAuth users.
So no, it is currently not supported to do any dedicated group lookup
for IKE/certificate identities.

> I'd be happy to write a plugin to do my custom behavior if someone
> could give me a pointer in the right direction.  Is the eap_radius
> plugin a good place to start?  Or is there a simpler plugin I could
> look at to start with?

If you write something like that for IKEv1, I'd recommend to go for an
XAuth backend. I think this is the only scenario where we currently
support late configuration switching (based on group information) for
IKEv1.

The eap_radius_xauth.c is certainly a good starting point, but you might
go for a simpler XAuth backend for the start (xauth-generic). Your
additional functionality should add the AUTH_RULE_GROUP to the current
IKE_SA remote authentication round. eap-radius does this at [1], eap-tnc
also sets group membership at [2] based on the IMV recommendation.

> My primitive idea of what I would like to accomplish is: a plugin
> which extracts the username from the common-name of the client cert,
> look it up in a hash table (or file) and return a group name which can
> be used to match on in traffic selectors.

Certificate information can be accessed by getting
AUTH_RULE_SUBJECT_CERT from the auth config of the first authentication
round. During XAuth, you have to query the authentication round of the
Main/Agressive mode using ike_sa_t.create_auth_cfg_enumerator(). Once
you got the certificate, you can get its subject and use the
identification_t.create_part_enumerator() to query the CN of it.

> Or to come at it from another direction - would an updown script be a
> good place to assign a group?

No, updown can't return any information to the daemon.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/eap_radius/eap_radius.c#l297
[2]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/eap_tnc/eap_tnc.c#l98

More information about the Users mailing list