[strongSwan] Specifying RADIUS attributes per-connection?
Noel Kuntze
noel.kuntze at thermi.consulting
Mon Jul 29 06:09:56 CEST 2019
Hello Brent,
strongSwan can't do that. Run a local RADIUS server as a proxy and use that to send the requests to your other ones.
Kind regards
Noel
Am 29.07.19 um 05:35 schrieb brent s.:
> Hello, all-
>
> I'm trying to work my head around this and hopefully someone might have
> some answers. It's admittedly a little weird, but oughtn't be for a
> tunnel gateway in theory.
>
> A caveat: I'm using swanctl.conf for configuration.
>
> Let's say server "foo.domain.tld" has two publicly-routable IP
> addresses, 203.0.113.1 and 203.0.113.2 (not real IPs, obviously[0]).
>
> Now, Strongswan is configured to authenticate against RADIUS (and pass
> accounting, as well) via eap-radius. That's all well and good...
>
> Except for authentication reasons, I want to ensure that 203.0.113.1
> gets treated as a totally different NAS[1] as 203.0.113.2.
> This means:
>
> 1.) The named connection that listens (and serves as a tunneled gateway)
> on 203.0.113.1 should route through 203.0.113.1 to the RADIUS server,
> and 203.0.113.2 should route through 203.0.113.2 to the RADIUS server,
> so they get detected as unique NAS addresses. 203.0.113.2 should not
> route through 203.0.113.1 to the RADIUS server, and vice versa. This is
> to ensure that the correct NAS (and therefore the correct set of
> authentications) can be detected by RADIUS.
>
> 2.) 203.0.113.1 should have a NAS client secret that is different from
> 203.0.113.2.
>
> Now, I know I can set different RADIUS servers via a *pool* in
> eap-radius.conf. But I don't see a way to specify which interface or
> address to *route through* in the configuration *when performing the
> RADIUS authentication*, per *connection config*, and I don't even see a
> way to specify multiple NAS client secrets ( " eap-radius { secret = }"
> ), specifically a client secret per connection profile
> ( "connection { ... }" ).
>
> Thoughts?
>
>
>
> [0] https://tools.ietf.org/html/rfc5737
> [1] https://en.wikipedia.org/wiki/Network_access_server
--
Noel Kuntze
IT security consultant
GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190729/8806f3df/attachment.sig>
More information about the Users
mailing list