[strongSwan] fallback to local secrets when RADIUS server unavailable
Tobias Brunner
tobias at strongswan.org
Tue Dec 4 12:01:22 CET 2018
Hi Dmitry,
> I would like to have a possibility to authenticate technical support
> users with local secrets (i.e. rightauth=eap-mschapv2) in case of RADIUS
> server unavailability. Is there a way to have 2 auth methods
> simultaneously for right=%any anyhow? Or maybe some fallback mechanism?
No, that's currently not possible. But you may configure multiple
RADIUS servers (see [1], they can also be updated at runtime), or a
separate connection that uses local credentials.
> Now I see the only way is to have separate public IP on external
> Strongswan interface and have another conn section for this IP. It seems
> not very straightforward solution.
Identities are another way to select different connections, but require
that the client sends the requested server identity or a useful client
identity. Another option is to use different authentication settings
e.g. certificates instead of EAP.
> As an example, on Cisco router I would create 2 access groups and have 2
> profiles on Cisco VPN client: one for local auth, one for RADIUS.
And how/when does it switch between the two?
> Any thoughts? Technical support clients are mostly Windows built-in VPN.
That's bad, because that client neither sends a remote identity (IDr is
never sent), nor any useful client identity (IDi, which just contained
the private IP address at one time when EAP was used, but that might
depend on the Windows version). So with such clients your options are
limited, I'm afraid (using machine certificates, i.e. not EAP-TLS, would
work though).
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Multiple-servers
More information about the Users
mailing list