[strongSwan] Specifying RADIUS attributes per-connection?

Noel Kuntze noel.kuntze at thermi.consulting
Mon Jul 29 06:09:56 CEST 2019

Hello Brent,

strongSwan can't do that. Run a local RADIUS server as a proxy and use that to send the requests to your other ones.

Kind regards


Am 29.07.19 um 05:35 schrieb brent s.:
> Hello, all-
> I'm trying to work my head around this and hopefully someone might have
> some answers. It's admittedly a little weird, but oughtn't be for a
> tunnel gateway in theory.
> A caveat: I'm using swanctl.conf for configuration.
> Let's say server "foo.domain.tld" has two publicly-routable IP
> addresses, and (not real IPs, obviously[0]).
> Now, Strongswan is configured to authenticate against RADIUS (and pass
> accounting, as well) via eap-radius. That's all well and good...
> Except for authentication reasons, I want to ensure that
> gets treated as a totally different NAS[1] as
> This means:
> 1.) The named connection that listens (and serves as a tunneled gateway)
> on should route through to the RADIUS server,
> and should route through to the RADIUS server,
> so they get detected as unique NAS addresses. should not
> route through to the RADIUS server, and vice versa. This is
> to ensure that the correct NAS (and therefore the correct set of
> authentications) can be detected by RADIUS.
> 2.) should have a NAS client secret that is different from
> Now, I know I can set different RADIUS servers via a *pool* in
> eap-radius.conf. But I don't see a way to specify which interface or
> address to *route through* in the configuration *when performing the
> RADIUS authentication*, per *connection config*, and I don't even see a
> way to specify multiple NAS client secrets ( " eap-radius { secret = }"
> ), specifically a client secret per connection profile
> ( "connection { ... }" ).
> Thoughts?
> [0] https://tools.ietf.org/html/rfc5737
> [1] https://en.wikipedia.org/wiki/Network_access_server

Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190729/8806f3df/attachment.sig>

More information about the Users mailing list