[strongSwan] fallback to local secrets when RADIUS server unavailable

Michael Schwartzkopff ms at sys4.de
Tue Dec 4 14:12:26 CET 2018


Am 04.12.18 um 14:09 schrieb Dmitry Soloshenko:
> Hello, Tobias.
>
> Thank you for response.
>
>>> As an example, on Cisco router I would create 2 access groups and
>>> have 2
>>> profiles on Cisco VPN client: one for local auth, one for RADIUS.
>> And how/when does it switch between the two?
> In Cisco VPN client  access group name is specified in profile
> settings and this name is sent to VPN server during connection. User
> selects specific profile to connect to VPN server.
> For different access groups there are separate sections in config on
> VPN server, so one can specify different auth methods.

You can configure this with policies in the FreeRADIUS server.


>>> Any thoughts? Technical support clients are mostly Windows built-in
>>> VPN.
>> That's bad, because that client neither sends a remote identity (IDr is
>> never sent), nor any useful client identity (IDi, which just contained
>> the private IP address at one time when EAP was used, but that might
>> depend on the Windows version).  So with such clients your options are
>> limited, I'm afraid (using machine certificates, i.e. not EAP-TLS, would
>> work though).
> Ok, I think I may try machine certificates.
>

FreeRADIUS is very configurable. You can set up policies that trigger if
certain conditions hold.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181204/1592b241/attachment.sig>


More information about the Users mailing list