[strongSwan] Specifying RADIUS attributes per-connection?
brent s.
bts at square-r00t.net
Mon Jul 29 05:35:46 CEST 2019
Hello, all-
I'm trying to work my head around this and hopefully someone might have
some answers. It's admittedly a little weird, but oughtn't be for a
tunnel gateway in theory.
A caveat: I'm using swanctl.conf for configuration.
Let's say server "foo.domain.tld" has two publicly-routable IP
addresses, 203.0.113.1 and 203.0.113.2 (not real IPs, obviously[0]).
Now, Strongswan is configured to authenticate against RADIUS (and pass
accounting, as well) via eap-radius. That's all well and good...
Except for authentication reasons, I want to ensure that 203.0.113.1
gets treated as a totally different NAS[1] as 203.0.113.2.
This means:
1.) The named connection that listens (and serves as a tunneled gateway)
on 203.0.113.1 should route through 203.0.113.1 to the RADIUS server,
and 203.0.113.2 should route through 203.0.113.2 to the RADIUS server,
so they get detected as unique NAS addresses. 203.0.113.2 should not
route through 203.0.113.1 to the RADIUS server, and vice versa. This is
to ensure that the correct NAS (and therefore the correct set of
authentications) can be detected by RADIUS.
2.) 203.0.113.1 should have a NAS client secret that is different from
203.0.113.2.
Now, I know I can set different RADIUS servers via a *pool* in
eap-radius.conf. But I don't see a way to specify which interface or
address to *route through* in the configuration *when performing the
RADIUS authentication*, per *connection config*, and I don't even see a
way to specify multiple NAS client secrets ( " eap-radius { secret = }"
), specifically a client secret per connection profile
( "connection { ... }" ).
Thoughts?
[0] https://tools.ietf.org/html/rfc5737
[1] https://en.wikipedia.org/wiki/Network_access_server
--
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190728/cf93c632/attachment.sig>
More information about the Users
mailing list