[strongSwan] Specifying RADIUS attributes per-connection?

brent s. bts at square-r00t.net
Mon Jul 29 05:35:46 CEST 2019

Hello, all-

I'm trying to work my head around this and hopefully someone might have
some answers. It's admittedly a little weird, but oughtn't be for a
tunnel gateway in theory.

A caveat: I'm using swanctl.conf for configuration.

Let's say server "foo.domain.tld" has two publicly-routable IP
addresses, and (not real IPs, obviously[0]).

Now, Strongswan is configured to authenticate against RADIUS (and pass
accounting, as well) via eap-radius. That's all well and good...

Except for authentication reasons, I want to ensure that
gets treated as a totally different NAS[1] as
This means:

1.) The named connection that listens (and serves as a tunneled gateway)
on should route through to the RADIUS server,
and should route through to the RADIUS server,
so they get detected as unique NAS addresses. should not
route through to the RADIUS server, and vice versa. This is
to ensure that the correct NAS (and therefore the correct set of
authentications) can be detected by RADIUS.

2.) should have a NAS client secret that is different from

Now, I know I can set different RADIUS servers via a *pool* in
eap-radius.conf. But I don't see a way to specify which interface or
address to *route through* in the configuration *when performing the
RADIUS authentication*, per *connection config*, and I don't even see a
way to specify multiple NAS client secrets ( " eap-radius { secret = }"
), specifically a client secret per connection profile
( "connection { ... }" ).


[0] https://tools.ietf.org/html/rfc5737
[1] https://en.wikipedia.org/wiki/Network_access_server
brent saner
GPG info: https://square-r00t.net/gpg-info

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190728/cf93c632/attachment.sig>

More information about the Users mailing list