[strongSwan] Specifying RADIUS attributes per-connection?

brent s. bts at square-r00t.net
Mon Aug 12 16:02:35 CEST 2019


On 8/12/19 9:55 AM, Tobias Brunner wrote:
> Hi Brent,
> 
>> 1.) The named connection that listens (and serves as a tunneled gateway)
>> on 203.0.113.1 should route through 203.0.113.1 to the RADIUS server,
>> and 203.0.113.2 should route through 203.0.113.2 to the RADIUS server,
>> so they get detected as unique NAS addresses. 203.0.113.2 should not
>> route through 203.0.113.1 to the RADIUS server, and vice versa. This is
>> to ensure that the correct NAS (and therefore the correct set of
>> authentications) can be detected by RADIUS.
> 
> Can't you just use the appropriate attribute(s) in the requests from
> strongSwan to make that distinction?
> 
> Regards,
> Tobias
> 

Thanks Tobias-

*Maybe*. I'd need to check if the authentication backend module I'm
using in RADIUS would allow me to do that (and without breaking RADIUS
for other services), but it's a good idea. It just feels strange to
rewrite the NAS Identifier with.... what would that even be, the Called
Station ID attribute?


-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190812/5246d36c/attachment-0001.sig>


More information about the Users mailing list