[strongSwan] fallback to local secrets when RADIUS server unavailable

Dmitry Soloshenko soloshenkod at gmail.com
Thu Jun 21 14:01:11 CEST 2018


I'm using Strongswan for remote user access to server infrastructure on 
remote site. Currently I'm using eap-radius authentication with Windows 
NPS and it works fine. The right auth part of conn config:


I would like to have a possibility to authenticate technical support 
users with local secrets (i.e. rightauth=eap-mschapv2) in case of RADIUS 
server unavailability. Is there a way to have 2 auth methods 
simultaneously for right=%any anyhow? Or maybe some fallback mechanism?

Now I see the only way is to have separate public IP on external 
Strongswan interface and have another conn section for this IP. It seems 
not very straightforward solution.

As an example, on Cisco router I would create 2 access groups and have 2 
profiles on Cisco VPN client: one for local auth, one for RADIUS.

Any thoughts? Technical support clients are mostly Windows built-in VPN.

Best regards,
Dmitry Soloshenko

More information about the Users mailing list