[strongSwan] Specifying RADIUS attributes per-connection?

Michael Schwartzkopff ms at sys4.de
Mon Aug 12 16:28:52 CEST 2019

Am 12.08.19 um 16:02 schrieb brent s.:
> On 8/12/19 9:55 AM, Tobias Brunner wrote:
>> Hi Brent,
>>> 1.) The named connection that listens (and serves as a tunneled gateway)
>>> on should route through to the RADIUS server,
>>> and should route through to the RADIUS server,
>>> so they get detected as unique NAS addresses. should not
>>> route through to the RADIUS server, and vice versa. This is
>>> to ensure that the correct NAS (and therefore the correct set of
>>> authentications) can be detected by RADIUS.
>> Can't you just use the appropriate attribute(s) in the requests from
>> strongSwan to make that distinction?
>> Regards,
>> Tobias
> Thanks Tobias-
> *Maybe*. I'd need to check if the authentication backend module I'm
> using in RADIUS would allow me to do that (and without breathe king RADIUS
> for other services), but it's a good idea. It just feels strange to
> rewrite the NAS Identifier with.... what would that even be, the Called
> Station ID attribute?

Your should be able to run RADIUS in debug mode. Than the RADIUS server
logs all Attributes.

Inside the EAP tunnel there should be visible a lot of attributes.

At least FreeRADIUS offers a lot of possibilities for return attributes.

Mit freundlichen Grüßen,


[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190812/f5ae257d/attachment.sig>

More information about the Users mailing list