[strongSwan] PLUTO_XAUTH_ID trustworthy (by cert)?
tobias at strongswan.org
Wed Feb 28 09:41:15 CET 2018
>>> So I then tried user certs to select on EAP identity in the user
>>> cert. Set that up then finally found a couple of emails/sites that
>>> said strongswan can't switch conns based on identitiy.
>> That's not entirely true. If you delegate the authentication to a
>> RADIUS server it can send back class attributes that strongSwan can
>> use to select configs (via rightgroups=<class>). That makes it easy
>> to use different configs for multiple groups of users.
>> But even without RADIUS you can match configs against EAP identities.
>> It requires a dummy config that requests the EAP identities from the
>> clients, though. Let's say you have two clients, one is
>> trevor at foo.com and one is carol at foo.com, then you may configure the
> That's even better! Great idea. I sure did a lot of searching and I
> never found mention of that rightgroups trick. I just set it up and it
> works! I had to add one more thing, though (for others reading this),
> you have to add rightgroups= (i.e. blank) on the final matching conn
> (i.e. eap-tls-trevor) or it will never match either.
That probably depends on which connection you include with the also
keyword. In my example only the eap-tls-init connection has rightgroups
set, which is not included in the other two connections (they include
the eap-tls-shared connection, which eap-tls-init also includes). If
you define rightgroups in the shared connection or in conn %default you
do have to clear it in the "end" connections.
> eap_identity doesn't seem to allow wildcards (does it?) so I'll need a
> conn for every single user. I was hoping to to group them with
> wildcards, like email@example.com and
Wildcards are supported, but wildcards like above are currently not
supported by strongSwan at all. In email addresses you can only match
domains, i.e. what would work is something like *@roadwarrior.foo.com
> My only other concern is now I have the exact same rightsourceip range
> set in multiple conn stanzas (i.e. rightsourceip=10.1.1.0/24. I'm
> hoping strongswan will lump identical rightsourceip's all together so
> the first connection hitting eap-tls-trevor-roadwarrior gets, say,
> 10.1.1.1, and eap-tls-carol-roadwarrior (connecting while trevor is
> still connected) gets 10.1.1.2 (and not 10.1.1.1!). i.e. the
> rightsourceip ranges are considered/assigned globally, not per conn
Yes, the pools are merged (provided they are exactly the same in all the
connections, no matter if defined directly or included via also keyword
or conn %default).
> Is there a way to donate a modest amount to the project or to you
> personally? You (and a few others) provide the best support I think
> I've ever seen for an open source project. No small feat seeing as how
> it's an insanely complex piece of software.
Thanks. We have a Bitcoin donation button on wiki.strongswan.org, but
that is currently defunct. Maybe we can get that up again soon.
More information about the Users