[strongSwan] fallback to local secrets when RADIUS server unavailable

Dmitry Soloshenko soloshenkod at gmail.com
Mon Dec 3 13:43:43 CET 2018


Hello,

I'm using Strongswan for remote user access to server infrastructure on
remote site. Currently I'm using eap-radius authentication with Windows
NPS and it works fine. The right auth part of conn config:

      right=%any
      rightauth=eap-radius
      rightsendcert=never
      eap_identity=%identity

I would like to have a possibility to authenticate technical support
users with local secrets (i.e. rightauth=eap-mschapv2) in case of RADIUS
server unavailability. Is there a way to have 2 auth methods
simultaneously for right=%any anyhow? Or maybe some fallback mechanism?

Now I see the only way is to have separate public IP on external
Strongswan interface and have another conn section for this IP. It seems
not very straightforward solution.

As an example, on Cisco router I would create 2 access groups and have 2
profiles on Cisco VPN client: one for local auth, one for RADIUS.

Any thoughts? Technical support clients are mostly Windows built-in VPN.

--
Best regards,
Dmitry Soloshenko



More information about the Users mailing list