[strongSwan] *** Spam *** Re: allow multiple EAP identities but not %any

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Oct 30 16:05:37 CET 2019 

Hello Christoph,

I do not know how to set groups to an empty value. However, you do not need to inherit anything either.
Just making different connections (IKE_SA configurations) with identical setting (besides eap_id and groups)
is enough.

Kind regards

Noel

Am 30.10.19 um 15:57 schrieb Christoph Harder:
> Hello Noel,
> 
> thank you.
> 
> So each identity gets it's own config and inherits all settings from the base config except
> connections.<conn>.remote<suffix>.eap_id
> is set to one of the EAP identities
> and
> connections.<conn>.remote<suffix>.groups
> is overwritten with "")?
> 
> Best regards,
> Christoph Harder
> 
> TELCO TECH GmbH
> Niederlassung Berlin
> Mädewalder Weg 2
> 12621 Berlin
> Tel.: +49 30 565862610
> Web: www.telco-tech.de
> Amtsgericht Potsdam-Stadt HRB 55 79
> Geschäftsführung:
> Bernd Schulz
> Silke Schirmer
> 
> Am 30.10.19 um 15:24 schrieb Noel Kuntze:
>> Hello list,
>>
>> Yes, you can do that.
>> Create a base config that has eap_identity=%any but rightgroups=thisdoesnotexist.
>> Then create specific configs for your other eap_identities that do not have rightgroups set.
>> Make sure the base config is earlier in the config file than the others.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 30.10.19 um 15:07 schrieb Michael Schwartzkopff:
>>> On 30.10.19 14:53, Christoph Harder wrote:
>>>> Hello everybody,
>>>>
>>>> is it possible to define multiple EAP identities per connection,
>>>> without using %any ?
>>>>
>>>> For example in the swanctl.conf I define two connections and in the
>>>> secrets section I define multiple EAP secrets/identities.
>>>> Is there any way to specify connections.<conn>.remote<suffix>.eap_id
>>>> so that only certain (but more than one) identities will be accepted?
>>>> Or is there only the option to allow either all known identities or
>>>> only a single one when using the swanctl.conf (and EAP identities
>>>> stored in the secrets section)?
>>>>
>>>> Best regards,
>>>> Christoph Harder
>>>>
>>>
>>> Hi,
>>>
>>>
>>> I do not know if strongswan is flexible enough for your purpose. But if
>>> you have a RADIUS server as  backend authentication, you could
>>> accomplish your task in RADIUS.
>>>
>>>
>>> Mit freundlichen Grüßen,
>>>
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191030/00d2d158/attachment-0001.sig>

More information about the Users mailing list