[strongSwan] Authorization of network access via VPN
ms at sys4.de
Mon Mar 2 21:33:30 CET 2020
with the RADIUS module authentication and accounting can be achieved
easily against every backend RADIUS can talk to. Policying is possible
with RADIUS. So everything works nicely.
I want to deal with authorization in a strongswan / RADIUS setup. As far
as I understood the docu, the RADIUS server can pass group membership
attribute in the Class attribute. Strongswan can use this information in
its rightgroup option in ipsec.conf. A con section fits, if at least one
group is returned by the RADIUS server.
This works nicely in scenarios where I have disjunct access rights for
user groups. i.e. accouting can access other internal servers as user in
the engineering group and a user is never in both groups.
Is it possible to setup (or implement) a setup where every group has
different access rights?
This could be acchived by filter-lists based in group membership that
swan would use as leftsubnet. Or strongswan could call a updown script
and passes on the group membership. That script would setup the firewall
An other thoughts?
Mit freundlichen Grüßen,
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 228 bytes
Desc: OpenPGP digital signature
More information about the Users