[strongSwan] fallback to local secrets when RADIUS server unavailable
Dmitry Soloshenko
soloshenkod at gmail.com
Tue Dec 4 14:09:36 CET 2018
Hello, Tobias.
Thank you for response.
>> As an example, on Cisco router I would create 2 access groups and have 2
>> profiles on Cisco VPN client: one for local auth, one for RADIUS.
> And how/when does it switch between the two?
In Cisco VPN client access group name is specified in profile settings
and this name is sent to VPN server during connection. User selects
specific profile to connect to VPN server.
For different access groups there are separate sections in config on VPN
server, so one can specify different auth methods.
>> Any thoughts? Technical support clients are mostly Windows built-in VPN.
> That's bad, because that client neither sends a remote identity (IDr is
> never sent), nor any useful client identity (IDi, which just contained
> the private IP address at one time when EAP was used, but that might
> depend on the Windows version). So with such clients your options are
> limited, I'm afraid (using machine certificates, i.e. not EAP-TLS, would
> work though).
Ok, I think I may try machine certificates.
--
Best regards,
Dmitry Soloshenko
More information about the Users
mailing list