[strongSwan] EAP Radius

Martin Willi martin at strongswan.org
Wed Nov 13 16:27:14 CET 2013


Hi,

> 1] I don't see a failed auth in the RADIUS logs in the latter case. But I
> do (say) when I provide an incorrect xauth password.  THis suggests to me
> that it isn't even going to RADIUS when I added the
> "rightgroups"constraint.  Is there anything wrong with my config?

I don't have any logs, but this is the usual behavior. Authentication
succeeds, after that the daemon checks if the connection is acceptable
for the authenticated user. This is not the case here because of the
missing group membership, and the connection is not permitted for that
authenticated user.

If you have additional configs that match, the daemon checks if the user
fullfills all criteria in any of these connections. If this is the case,
an alternative connection gets selected.

> 2] looking at the source code of the eap_radius plugin I can see it gets
> the group from the class attribute in the RADIUS reply.  I know this isn't
> a FreeRADIUS forum but does anyone know a simple way for me to configure a
> (non SQL / LDAP) freeradius user which returns a "Class" in the reply.

You may try to set the "Class" attribute for specific users in the
FreeRADIUS users file, but there are certainly better ways I'm not aware
of.

Regards
Martin





More information about the Users mailing list