[strongSwan] Authorization of network access via VPN

Michael Schwartzkopff ms at sys4.de
Mon Mar 2 21:33:30 CET 2020


with the RADIUS module authentication and accounting can be achieved
easily against every backend RADIUS can talk to. Policying is possible
with RADIUS. So everything works nicely.

I want to deal with authorization in a strongswan / RADIUS setup. As far
as I understood the docu,  the RADIUS server can pass group membership
attribute in the Class attribute. Strongswan can use this information in
its rightgroup option in ipsec.conf. A con section fits, if at least one
group is returned by the RADIUS server.

This works nicely in scenarios where I have disjunct access rights for
user groups. i.e. accouting can access other internal servers as user in
the engineering group and a user is never in both groups.

Is it possible to setup (or implement) a setup where every group has
different access rights?

This could be acchived by filter-lists based in group membership that
swan would use as leftsubnet. Or strongswan could call a updown script
and passes on the group membership. That script would setup the firewall

An other thoughts?

Mit freundlichen Grüßen,


[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200302/7a6dbfb2/attachment.sig>

More information about the Users mailing list