[strongSwan] Specifying RADIUS attributes per-connection?
Michael Schwartzkopff
ms at sys4.de
Mon Aug 12 16:28:52 CEST 2019
Am 12.08.19 um 16:02 schrieb brent s.:
> On 8/12/19 9:55 AM, Tobias Brunner wrote:
>> Hi Brent,
>>
>>> 1.) The named connection that listens (and serves as a tunneled gateway)
>>> on 203.0.113.1 should route through 203.0.113.1 to the RADIUS server,
>>> and 203.0.113.2 should route through 203.0.113.2 to the RADIUS server,
>>> so they get detected as unique NAS addresses. 203.0.113.2 should not
>>> route through 203.0.113.1 to the RADIUS server, and vice versa. This is
>>> to ensure that the correct NAS (and therefore the correct set of
>>> authentications) can be detected by RADIUS.
>> Can't you just use the appropriate attribute(s) in the requests from
>> strongSwan to make that distinction?
>>
>> Regards,
>> Tobias
>>
> Thanks Tobias-
>
> *Maybe*. I'd need to check if the authentication backend module I'm
> using in RADIUS would allow me to do that (and without breathe king RADIUS
> for other services), but it's a good idea. It just feels strange to
> rewrite the NAS Identifier with.... what would that even be, the Called
> Station ID attribute?
>
>
Your should be able to run RADIUS in debug mode. Than the RADIUS server
logs all Attributes.
Inside the EAP tunnel there should be visible a lot of attributes.
At least FreeRADIUS offers a lot of possibilities for return attributes.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190812/f5ae257d/attachment.sig>
More information about the Users
mailing list