[strongSwan] Differentiation between connections in radius access requests

Shawn Asmussen shawn.asmussen at gmail.com
Wed Jan 21 20:06:33 CET 2015

I'm in a situation where we need to support multiple connection types, and
use a radius backend server for user authentication. However, not all users
in the radius database are allowed to connect to all connection types. For
the protocols that we support that are not handled through strongSwan, we
are differentiating between the protocols by the use of the virtual servers
within our Freeradius configuration. There is one radius server, but it
applies a different policy based on which IP address the radius access
request was received on.

With the two types we support using strongSwan ("Cisco IPSec", and IKEv2),
we are trying to determine how the radius server can tell which one of the
connection types is being made so that it can apply the appropriate policy.
As far as I can tell, with strongSwan, I have to set the radius server
within the eap-radius.conf file, and that radius server will be used for
all conn sections that are configured to use radius.

So, my first question is if there is a way that I am overlooking to
configure strongSwan to use a particular IP address for the radius server
in one conn section, but a different IP address for another conn section.

If that is not possible, then is there any way to set some sort of
attributes to be sent in the radius access request that the Freeradius
policy can use to tell which connection type is being attempted.

If neither of those approaches is possible, does anybody have any other
suggestions on how to allow Freeradius to apply different policies
depending on which conn section strongSwan is using to handle any given

Thank you,

Shawn Asmussen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150121/a99d8f43/attachment.html>

More information about the Users mailing list