[strongSwan] EAP Radius

Raoul Duke rduke496 at gmail.com
Wed Nov 13 17:08:28 CET 2013


On Wed, Nov 13, 2013 at 3:27 PM, Martin Willi <martin at strongswan.org> wrote:
>
> Hi,
>
> > 1] I don't see a failed auth in the RADIUS logs in the latter case. But I
> > do (say) when I provide an incorrect xauth password.  THis suggests to me
> > that it isn't even going to RADIUS when I added the
> > "rightgroups"constraint.  Is there anything wrong with my config?
>
> I don't have any logs, but this is the usual behavior. Authentication
> succeeds, after that the daemon checks if the connection is acceptable
> for the authenticated user. This is not the case here because of the
> missing group membership, and the connection is not permitted for that
> authenticated user.
>
> If you have additional configs that match, the daemon checks if the user
> fullfills all criteria in any of these connections. If this is the case,
> an alternative connection gets selected.

I don't follow - my understanding was the rightgroups constraint would
require a RADIUS check to determine the group.  So if I don't see a
RADIUS auth attempt when I add "rightgroups" then how could it ever
determine the group to know if it would match.

Thanks.




More information about the Users mailing list