[strongSwan] Ikev2 wildcards with MacOs clients

Matthieu Nantern matthieu.nantern at margo.com
Thu Oct 4 17:41:13 CEST 2018

Is it possible to have multiple email address in the “rightid“ parameter ?
Maybe I can list all authorized users for each server instead of relying on
Distinguished Names ?

Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern <matthieu.nantern at margo.com>
a écrit :

> Hi !
> I installed StrongSwan to allow my users (mainly MacOs X clients) to use
> the native ikev2 authentication. Everything is working fine.
> Now I would like to implement something like that :
> https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html
> ; allowing some clients to access some network and not the others.
> Unfortunately I didn't see (or understand) the issue on that page (
> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile) :
>    - ASN.1 Distinguished Names can't be used as identities because the
>    client currently sends them as identities of type FQDN.
> As a result when I put rightid in my configuration it's not working
> because MacOsX is only sending a fqdn (an email address in my case) and not
> the Distinguished Name.
> My question is how can allow (or deny) some network to some user?
> I have a file that associates email address to "role" but I don't know how
> to use it. Maybe a plugin?
> Any ideas/links?
> Thank you!
> --
> Matthieu Nantern


Matthieu Nantern
SRE, Margo Bank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181004/b82e0c09/attachment.html>

More information about the Users mailing list