[strongSwan] Specifying RADIUS attributes per-connection?
bts at square-r00t.net
Mon Aug 12 16:02:35 CEST 2019
On 8/12/19 9:55 AM, Tobias Brunner wrote:
> Hi Brent,
>> 1.) The named connection that listens (and serves as a tunneled gateway)
>> on 203.0.113.1 should route through 203.0.113.1 to the RADIUS server,
>> and 203.0.113.2 should route through 203.0.113.2 to the RADIUS server,
>> so they get detected as unique NAS addresses. 203.0.113.2 should not
>> route through 203.0.113.1 to the RADIUS server, and vice versa. This is
>> to ensure that the correct NAS (and therefore the correct set of
>> authentications) can be detected by RADIUS.
> Can't you just use the appropriate attribute(s) in the requests from
> strongSwan to make that distinction?
*Maybe*. I'd need to check if the authentication backend module I'm
using in RADIUS would allow me to do that (and without breaking RADIUS
for other services), but it's a good idea. It just feels strange to
rewrite the NAS Identifier with.... what would that even be, the Called
Station ID attribute?
GPG info: https://square-r00t.net/gpg-info
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 899 bytes
Desc: OpenPGP digital signature
More information about the Users