[strongSwan] allow multiple EAP identities but not %any

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Oct 30 15:24:16 CET 2019


Hello list,

Yes, you can do that.
Create a base config that has eap_identity=%any but rightgroups=thisdoesnotexist.
Then create specific configs for your other eap_identities that do not have rightgroups set.
Make sure the base config is earlier in the config file than the others.

Kind regards

Noel

Am 30.10.19 um 15:07 schrieb Michael Schwartzkopff:
> On 30.10.19 14:53, Christoph Harder wrote:
>> Hello everybody,
>>
>> is it possible to define multiple EAP identities per connection,
>> without using %any ?
>>
>> For example in the swanctl.conf I define two connections and in the
>> secrets section I define multiple EAP secrets/identities.
>> Is there any way to specify connections.<conn>.remote<suffix>.eap_id
>> so that only certain (but more than one) identities will be accepted?
>> Or is there only the option to allow either all known identities or
>> only a single one when using the swanctl.conf (and EAP identities
>> stored in the secrets section)?
>>
>> Best regards,
>> Christoph Harder
>>
> 
> Hi,
> 
> 
> I do not know if strongswan is flexible enough for your purpose. But if
> you have a RADIUS server as  backend authentication, you could
> accomplish your task in RADIUS.
> 
> 
> Mit freundlichen Grüßen,
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191030/712207bf/attachment.sig>


More information about the Users mailing list