[strongSwan] EAP Radius
Raoul Duke
rduke496 at gmail.com
Wed Nov 13 15:00:31 CET 2013
Hi,
I'm trying to configure EAP RADIUS to give out different IP ranges for
different user groups. I am using IOS (ikev1) clients.
My eap-radius config (in strongswan.conf) is verbatim:
http://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius
This is my ipsec.conf
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
....
rightauth=pubkey
rightauth2=xauth-radius
rightgroups="sales at strongswan.org, finance at strongswan.org"
When I comment out the "rightgroups" it correctly authenticates the xauth
username against RADIUS. Great.
When I add the rightgroups I see this in the log:
constraint check failed: group membership to 'O=strongswan, OU=research'
required
That seems reasonable but.
I have 2 questions:
1] I don't see a failed auth in the RADIUS logs in the latter case. But I
do (say) when I provide an incorrect xauth password. THis suggests to me
that it isn't even going to RADIUS when I added the
"rightgroups"constraint. Is there anything wrong with my config?
2] looking at the source code of the eap_radius plugin I can see it gets
the group from the class attribute in the RADIUS reply. I know this isn't
a FreeRADIUS forum but does anyone know a simple way for me to configure a
(non SQL / LDAP) freeradius user which returns a "Class" in the reply.
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131113/ef4644e7/attachment.html>
More information about the Users
mailing list