Strongswan clients access rightsStrongSwan - windows double password promptstrongSwan ipsec setup, couple of questionsEAP password prompt in strongSwanSSH not working over IPSec tunnel (Strongswan)Windows 7/8 Strongswan IKEv2 Wrong GatewayDocker container can not access hosts behind VPNTwo users behind same NAT (PSK or EAP) - strongswanStrongswan: Connecting PSK & EAP at a timeOpen ports to only to VPN clients connected via IKEv2 (strongswan)Strongswan + FreeRADIUS and Windows 10 clients without internet accessStrongswan with letsencrypt certificates (IKEv2-EAP)
What does ゆーか mean?
"Whatever a Russian does, they end up making the Kalashnikov gun"? Are there any similar proverbs in English?
Phrase for the opposite of "foolproof"
How to stop co-workers from teasing me because I know Russian?
Pulling the rope with one hand is as heavy as with two hands?
Rivers without rain
How to write a column outside the braces in a matrix?
Was there a shared-world project before "Thieves World"?
Why was the Spitfire's elliptical wing almost uncopied by other aircraft of World War 2?
What happens to Mjolnir (Thor's hammer) at the end of Endgame?
Is there any official lore on the Far Realm?
Can an Area of Effect spell cast outside a Prismatic Wall extend inside it?
a sore throat vs a strep throat vs strep throat
How can Republicans who favour free markets, consistently express anger when they don't like the outcome of that choice?
As an international instructor, should I openly talk about my accent?
Like totally amazing interchangeable sister outfits II: The Revenge
Pre-plastic human skin alternative
Why must Chinese maps be obfuscated?
What makes accurate emulation of old systems a difficult task?
How much cash can I safely carry into the USA and avoid civil forfeiture?
Does tea made with boiling water cool faster than tea made with boiled (but still hot) water?
What are the steps to solving this definite integral?
What are the characteristics of a typeless programming language?
"The cow" OR "a cow" OR "cows" in this context
Strongswan clients access rights
StrongSwan - windows double password promptstrongSwan ipsec setup, couple of questionsEAP password prompt in strongSwanSSH not working over IPSec tunnel (Strongswan)Windows 7/8 Strongswan IKEv2 Wrong GatewayDocker container can not access hosts behind VPNTwo users behind same NAT (PSK or EAP) - strongswanStrongswan: Connecting PSK & EAP at a timeOpen ports to only to VPN clients connected via IKEv2 (strongswan)Strongswan + FreeRADIUS and Windows 10 clients without internet accessStrongswan with letsencrypt certificates (IKEv2-EAP)
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I am beginner with strongswan so I apologize for this beginner’s query. I have created Debian server with strongswan. To this server are connected three networks
network_1: 192.168.10.0/24, network_2: 192.168.20.0/24 and network_3 192.168.30.0/24 via Mikrotik LTE routers and IKEv2-PSK protocol. Together with these network to this server can be connected windows, iOS, OSX and Android clients via IKEv2 protocol and MSCHAP-EAP authentication. All is working without problems and for every connected client are accessible all IPs in all these three networks.
At this moment I would like assign some of the following access rights for MSCHAP-EAP clients – for example:
Client Bob/password1 should be able to access only IPs in network2 and no other IPs
Client Alice/password2 should be able to access only IP address range 192.168.20.100 – 150 in second network and no other IPs
Client John/password3 should be able to acces only IP address ranges 192.168.30.10 – 50 and 192.168.10.150 -200 and IP address 192.168.20.44
Could anybody be so kind and help me solve it? Ideally with reference to any example of solution…
Thank you in advance
Petr
strongswan
asked Apr 17 '18 at 19:14
Petr W.Petr W.
33
add a comment |
I am beginner with strongswan so I apologize for this beginner’s query. I have created Debian server with strongswan. To this server are connected three networks
network_1: 192.168.10.0/24, network_2: 192.168.20.0/24 and network_3 192.168.30.0/24 via Mikrotik LTE routers and IKEv2-PSK protocol. Together with these network to this server can be connected windows, iOS, OSX and Android clients via IKEv2 protocol and MSCHAP-EAP authentication. All is working without problems and for every connected client are accessible all IPs in all these three networks.
At this moment I would like assign some of the following access rights for MSCHAP-EAP clients – for example:
Client Bob/password1 should be able to access only IPs in network2 and no other IPs
Client Alice/password2 should be able to access only IP address range 192.168.20.100 – 150 in second network and no other IPs
Client John/password3 should be able to acces only IP address ranges 192.168.30.10 – 50 and 192.168.10.150 -200 and IP address 192.168.20.44
Could anybody be so kind and help me solve it? Ideally with reference to any example of solution…
Thank you in advance
Petr
strongswan
asked Apr 17 '18 at 19:14
Petr W.Petr W.
33
add a comment |
I am beginner with strongswan so I apologize for this beginner’s query. I have created Debian server with strongswan. To this server are connected three networks
network_1: 192.168.10.0/24, network_2: 192.168.20.0/24 and network_3 192.168.30.0/24 via Mikrotik LTE routers and IKEv2-PSK protocol. Together with these network to this server can be connected windows, iOS, OSX and Android clients via IKEv2 protocol and MSCHAP-EAP authentication. All is working without problems and for every connected client are accessible all IPs in all these three networks.
At this moment I would like assign some of the following access rights for MSCHAP-EAP clients – for example:
Client Bob/password1 should be able to access only IPs in network2 and no other IPs
Client Alice/password2 should be able to access only IP address range 192.168.20.100 – 150 in second network and no other IPs
Client John/password3 should be able to acces only IP address ranges 192.168.30.10 – 50 and 192.168.10.150 -200 and IP address 192.168.20.44
Could anybody be so kind and help me solve it? Ideally with reference to any example of solution…
Thank you in advance
Petr
strongswan
asked Apr 17 '18 at 19:14
Petr W.Petr W.
33
I am beginner with strongswan so I apologize for this beginner’s query. I have created Debian server with strongswan. To this server are connected three networks
network_1: 192.168.10.0/24, network_2: 192.168.20.0/24 and network_3 192.168.30.0/24 via Mikrotik LTE routers and IKEv2-PSK protocol. Together with these network to this server can be connected windows, iOS, OSX and Android clients via IKEv2 protocol and MSCHAP-EAP authentication. All is working without problems and for every connected client are accessible all IPs in all these three networks.
At this moment I would like assign some of the following access rights for MSCHAP-EAP clients – for example:
Client Bob/password1 should be able to access only IPs in network2 and no other IPs
Client Alice/password2 should be able to access only IP address range 192.168.20.100 – 150 in second network and no other IPs
Client John/password3 should be able to acces only IP address ranges 192.168.30.10 – 50 and 192.168.10.150 -200 and IP address 192.168.20.44
Could anybody be so kind and help me solve it? Ideally with reference to any example of solution…
Thank you in advance
Petr
strongswan
strongswan
asked Apr 17 '18 at 19:14
Petr W.Petr W.
33
asked Apr 17 '18 at 19:14
Petr W.Petr W.
33
asked Apr 17 '18 at 19:14
Petr W.Petr W.
33
asked Apr 17 '18 at 19:14
Petr W.Petr W.
33
asked Apr 17 '18 at 19:14
Petr W.Petr W.
33
33
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
A possible way to do this is using EAP-RADIUS. The radius server can return Class attributes that can be matched against configs (rightgroups in ipsec.conf, or groups in swanctl.conf). Then you can define different local traffic selectors for each of these groups. The ikev2/rw-eap-md5-class-radius strongSwan test scenario illustrates this.
If you don't want to or can't use EAP-RADIUS there is a way to match individual EAP identities but it's a bit tricky because strongSwan does not fully support connection switching based on such identities.
To do this a dummy connection with a fake group has to be used. This is how it could look like in ipsec.conf:
conn eap-shared
# options shared by all clients e.g.
leftcert=...
# or
rightsourceip=...
# or
rightauth=eap-mschapv2
conn eap-init
also=eap-shared
# this config is used to do the EAP-Identity exchange and the
# authentication of client and server
eap_identity=%identity
# the following is used to force a connection switch after
# the authentication completed
rightgroups=<any string that is not used as group/class>
auto=add
conn eap-bob
also=eap-shared
eap_identity=bob@strongswan.org
# any options that only apply to this user follow here e.g.
leftsubnet=192.168.20.0/24
auto=add
conn eap-alice
also=eap-shared
eap_identity=alice@strongswan.org
# any options that only apply to this user follow here e.g.
# (note that ipsec.conf does not support ranges, and most kernel
# interfaces do neither, so a range might be converted to a larger
# subnet when installing IPsec policies, so deaggregating the range
# is the most accurate way to do this currently)
leftsubnet=192.168.20.100/30,192.168.20.104/29,192.168.20.112/28,192.168.20.128/28,192.168.20.144/30,192.168.20.148/31,192.168.20.150/32
auto=add
conn eap-john
also=eap-shared
eap_identity=john@strongswan.org
# any options that only apply to this user follow here e.g.
# (see above)
leftsubnet=192.168.30.10/31,192.168.30.12/30,192.168.30.16/28,192.168.30.32/28,192.168.30.48/31,192.168.30.50/32,192.168.10.150/31,192.168.10.152/29,192.168.10.160/27,192.168.10.192/29,192.168.10.200/32,192.168.20.44/32
auto=add
With EAP-RADIUS the config would look quite similarly but you wouldn't need the eap-init connection (instead you'd add eap_identity=%identity to eap-shared) and instead of defining eap_identity in each individual connection you'd set rightgroups to the groups (i.e. EAP-RADIUS Class attribute values) for which that connection should be used (i.e. this allows using the same conn section for multiple users).
answered Apr 18 '18 at 8:48
ecdsaecdsa
2,042915
add a comment |
Thank you very much for your answer. I will test it. My first idea was change the mschap-eap authentication to eap-tls and use different client's certificates and conn section for each group but I don't know if it would be the right way.
answered Apr 18 '18 at 17:26
Petr W.Petr W.
33
Sorry, didn't see this before. Did you mean to add this as a comment to my answer? Anyway, EAP-TLS wouldn't make much of a difference as there again is the problem that switching based on EAP identities isn't fully supported (and different client implementations may use different forms of EAP identities when using certificates). Using plain certificate authentication may be an alternative as that allows matching configs via subject DN (even with wildcards), however, the identities sent might still depend on the client (some send the full subject DN, others the CN, or a SAN).
– ecdsa
Apr 20 '18 at 11:31
Hm, my idea with certificates was not good. I'll have to solve it with RADIUS server.
– Petr W.
Apr 23 '18 at 14:27
ecdsa, thank you very much for your help once more. Strongswan server is now working together with FreeRADIUS + MySQL without problems and a lot of users in usergroups that have access rights via EAP-MSCHAP to the appropriate ranges in appropriate networks:-)
– Petr W.
May 5 '18 at 19:25
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f908098%2fstrongswan-clients-access-rights%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
A possible way to do this is using EAP-RADIUS. The radius server can return Class attributes that can be matched against configs (rightgroups in ipsec.conf, or groups in swanctl.conf). Then you can define different local traffic selectors for each of these groups. The ikev2/rw-eap-md5-class-radius strongSwan test scenario illustrates this.
If you don't want to or can't use EAP-RADIUS there is a way to match individual EAP identities but it's a bit tricky because strongSwan does not fully support connection switching based on such identities.
To do this a dummy connection with a fake group has to be used. This is how it could look like in ipsec.conf:
conn eap-shared
# options shared by all clients e.g.
leftcert=...
# or
rightsourceip=...
# or
rightauth=eap-mschapv2
conn eap-init
also=eap-shared
# this config is used to do the EAP-Identity exchange and the
# authentication of client and server
eap_identity=%identity
# the following is used to force a connection switch after
# the authentication completed
rightgroups=<any string that is not used as group/class>
auto=add
conn eap-bob
also=eap-shared
eap_identity=bob@strongswan.org
# any options that only apply to this user follow here e.g.
leftsubnet=192.168.20.0/24
auto=add
conn eap-alice
also=eap-shared
eap_identity=alice@strongswan.org
# any options that only apply to this user follow here e.g.
# (note that ipsec.conf does not support ranges, and most kernel
# interfaces do neither, so a range might be converted to a larger
# subnet when installing IPsec policies, so deaggregating the range
# is the most accurate way to do this currently)
leftsubnet=192.168.20.100/30,192.168.20.104/29,192.168.20.112/28,192.168.20.128/28,192.168.20.144/30,192.168.20.148/31,192.168.20.150/32
auto=add
conn eap-john
also=eap-shared
eap_identity=john@strongswan.org
# any options that only apply to this user follow here e.g.
# (see above)
leftsubnet=192.168.30.10/31,192.168.30.12/30,192.168.30.16/28,192.168.30.32/28,192.168.30.48/31,192.168.30.50/32,192.168.10.150/31,192.168.10.152/29,192.168.10.160/27,192.168.10.192/29,192.168.10.200/32,192.168.20.44/32
auto=add
With EAP-RADIUS the config would look quite similarly but you wouldn't need the eap-init connection (instead you'd add eap_identity=%identity to eap-shared) and instead of defining eap_identity in each individual connection you'd set rightgroups to the groups (i.e. EAP-RADIUS Class attribute values) for which that connection should be used (i.e. this allows using the same conn section for multiple users).
answered Apr 18 '18 at 8:48
ecdsaecdsa
2,042915
add a comment |
A possible way to do this is using EAP-RADIUS. The radius server can return Class attributes that can be matched against configs (rightgroups in ipsec.conf, or groups in swanctl.conf). Then you can define different local traffic selectors for each of these groups. The ikev2/rw-eap-md5-class-radius strongSwan test scenario illustrates this.
If you don't want to or can't use EAP-RADIUS there is a way to match individual EAP identities but it's a bit tricky because strongSwan does not fully support connection switching based on such identities.
To do this a dummy connection with a fake group has to be used. This is how it could look like in ipsec.conf:
conn eap-shared
# options shared by all clients e.g.
leftcert=...
# or
rightsourceip=...
# or
rightauth=eap-mschapv2
conn eap-init
also=eap-shared
# this config is used to do the EAP-Identity exchange and the
# authentication of client and server
eap_identity=%identity
# the following is used to force a connection switch after
# the authentication completed
rightgroups=<any string that is not used as group/class>
auto=add
conn eap-bob
also=eap-shared
eap_identity=bob@strongswan.org
# any options that only apply to this user follow here e.g.
leftsubnet=192.168.20.0/24
auto=add
conn eap-alice
also=eap-shared
eap_identity=alice@strongswan.org
# any options that only apply to this user follow here e.g.
# (note that ipsec.conf does not support ranges, and most kernel
# interfaces do neither, so a range might be converted to a larger
# subnet when installing IPsec policies, so deaggregating the range
# is the most accurate way to do this currently)
leftsubnet=192.168.20.100/30,192.168.20.104/29,192.168.20.112/28,192.168.20.128/28,192.168.20.144/30,192.168.20.148/31,192.168.20.150/32
auto=add
conn eap-john
also=eap-shared
eap_identity=john@strongswan.org
# any options that only apply to this user follow here e.g.
# (see above)
leftsubnet=192.168.30.10/31,192.168.30.12/30,192.168.30.16/28,192.168.30.32/28,192.168.30.48/31,192.168.30.50/32,192.168.10.150/31,192.168.10.152/29,192.168.10.160/27,192.168.10.192/29,192.168.10.200/32,192.168.20.44/32
auto=add
With EAP-RADIUS the config would look quite similarly but you wouldn't need the eap-init connection (instead you'd add eap_identity=%identity to eap-shared) and instead of defining eap_identity in each individual connection you'd set rightgroups to the groups (i.e. EAP-RADIUS Class attribute values) for which that connection should be used (i.e. this allows using the same conn section for multiple users).
answered Apr 18 '18 at 8:48
ecdsaecdsa
2,042915
add a comment |
A possible way to do this is using EAP-RADIUS. The radius server can return Class attributes that can be matched against configs (rightgroups in ipsec.conf, or groups in swanctl.conf). Then you can define different local traffic selectors for each of these groups. The ikev2/rw-eap-md5-class-radius strongSwan test scenario illustrates this.
If you don't want to or can't use EAP-RADIUS there is a way to match individual EAP identities but it's a bit tricky because strongSwan does not fully support connection switching based on such identities.
To do this a dummy connection with a fake group has to be used. This is how it could look like in ipsec.conf:
conn eap-shared
# options shared by all clients e.g.
leftcert=...
# or
rightsourceip=...
# or
rightauth=eap-mschapv2
conn eap-init
also=eap-shared
# this config is used to do the EAP-Identity exchange and the
# authentication of client and server
eap_identity=%identity
# the following is used to force a connection switch after
# the authentication completed
rightgroups=<any string that is not used as group/class>
auto=add
conn eap-bob
also=eap-shared
eap_identity=bob@strongswan.org
# any options that only apply to this user follow here e.g.
leftsubnet=192.168.20.0/24
auto=add
conn eap-alice
also=eap-shared
eap_identity=alice@strongswan.org
# any options that only apply to this user follow here e.g.
# (note that ipsec.conf does not support ranges, and most kernel
# interfaces do neither, so a range might be converted to a larger
# subnet when installing IPsec policies, so deaggregating the range
# is the most accurate way to do this currently)
leftsubnet=192.168.20.100/30,192.168.20.104/29,192.168.20.112/28,192.168.20.128/28,192.168.20.144/30,192.168.20.148/31,192.168.20.150/32
auto=add
conn eap-john
also=eap-shared
eap_identity=john@strongswan.org
# any options that only apply to this user follow here e.g.
# (see above)
leftsubnet=192.168.30.10/31,192.168.30.12/30,192.168.30.16/28,192.168.30.32/28,192.168.30.48/31,192.168.30.50/32,192.168.10.150/31,192.168.10.152/29,192.168.10.160/27,192.168.10.192/29,192.168.10.200/32,192.168.20.44/32
auto=add
With EAP-RADIUS the config would look quite similarly but you wouldn't need the eap-init connection (instead you'd add eap_identity=%identity to eap-shared) and instead of defining eap_identity in each individual connection you'd set rightgroups to the groups (i.e. EAP-RADIUS Class attribute values) for which that connection should be used (i.e. this allows using the same conn section for multiple users).
answered Apr 18 '18 at 8:48
ecdsaecdsa
2,042915
A possible way to do this is using EAP-RADIUS. The radius server can return Class attributes that can be matched against configs (rightgroups in ipsec.conf, or groups in swanctl.conf). Then you can define different local traffic selectors for each of these groups. The ikev2/rw-eap-md5-class-radius strongSwan test scenario illustrates this.
If you don't want to or can't use EAP-RADIUS there is a way to match individual EAP identities but it's a bit tricky because strongSwan does not fully support connection switching based on such identities.
To do this a dummy connection with a fake group has to be used. This is how it could look like in ipsec.conf:
conn eap-shared
# options shared by all clients e.g.
leftcert=...
# or
rightsourceip=...
# or
rightauth=eap-mschapv2
conn eap-init
also=eap-shared
# this config is used to do the EAP-Identity exchange and the
# authentication of client and server
eap_identity=%identity
# the following is used to force a connection switch after
# the authentication completed
rightgroups=<any string that is not used as group/class>
auto=add
conn eap-bob
also=eap-shared
eap_identity=bob@strongswan.org
# any options that only apply to this user follow here e.g.
leftsubnet=192.168.20.0/24
auto=add
conn eap-alice
also=eap-shared
eap_identity=alice@strongswan.org
# any options that only apply to this user follow here e.g.
# (note that ipsec.conf does not support ranges, and most kernel
# interfaces do neither, so a range might be converted to a larger
# subnet when installing IPsec policies, so deaggregating the range
# is the most accurate way to do this currently)
leftsubnet=192.168.20.100/30,192.168.20.104/29,192.168.20.112/28,192.168.20.128/28,192.168.20.144/30,192.168.20.148/31,192.168.20.150/32
auto=add
conn eap-john
also=eap-shared
eap_identity=john@strongswan.org
# any options that only apply to this user follow here e.g.
# (see above)
leftsubnet=192.168.30.10/31,192.168.30.12/30,192.168.30.16/28,192.168.30.32/28,192.168.30.48/31,192.168.30.50/32,192.168.10.150/31,192.168.10.152/29,192.168.10.160/27,192.168.10.192/29,192.168.10.200/32,192.168.20.44/32
auto=add
With EAP-RADIUS the config would look quite similarly but you wouldn't need the eap-init connection (instead you'd add eap_identity=%identity to eap-shared) and instead of defining eap_identity in each individual connection you'd set rightgroups to the groups (i.e. EAP-RADIUS Class attribute values) for which that connection should be used (i.e. this allows using the same conn section for multiple users).
answered Apr 18 '18 at 8:48
ecdsaecdsa
2,042915
answered Apr 18 '18 at 8:48
ecdsaecdsa
2,042915
answered Apr 18 '18 at 8:48
ecdsaecdsa
2,042915
answered Apr 18 '18 at 8:48
ecdsaecdsa
2,042915
2,042915
add a comment |
add a comment |
Thank you very much for your answer. I will test it. My first idea was change the mschap-eap authentication to eap-tls and use different client's certificates and conn section for each group but I don't know if it would be the right way.
answered Apr 18 '18 at 17:26
Petr W.Petr W.
33
Sorry, didn't see this before. Did you mean to add this as a comment to my answer? Anyway, EAP-TLS wouldn't make much of a difference as there again is the problem that switching based on EAP identities isn't fully supported (and different client implementations may use different forms of EAP identities when using certificates). Using plain certificate authentication may be an alternative as that allows matching configs via subject DN (even with wildcards), however, the identities sent might still depend on the client (some send the full subject DN, others the CN, or a SAN).
– ecdsa
Apr 20 '18 at 11:31
Hm, my idea with certificates was not good. I'll have to solve it with RADIUS server.
– Petr W.
Apr 23 '18 at 14:27
ecdsa, thank you very much for your help once more. Strongswan server is now working together with FreeRADIUS + MySQL without problems and a lot of users in usergroups that have access rights via EAP-MSCHAP to the appropriate ranges in appropriate networks:-)
– Petr W.
May 5 '18 at 19:25
add a comment |
Thank you very much for your answer. I will test it. My first idea was change the mschap-eap authentication to eap-tls and use different client's certificates and conn section for each group but I don't know if it would be the right way.
answered Apr 18 '18 at 17:26
Petr W.Petr W.
33
Sorry, didn't see this before. Did you mean to add this as a comment to my answer? Anyway, EAP-TLS wouldn't make much of a difference as there again is the problem that switching based on EAP identities isn't fully supported (and different client implementations may use different forms of EAP identities when using certificates). Using plain certificate authentication may be an alternative as that allows matching configs via subject DN (even with wildcards), however, the identities sent might still depend on the client (some send the full subject DN, others the CN, or a SAN).
– ecdsa
Apr 20 '18 at 11:31
Hm, my idea with certificates was not good. I'll have to solve it with RADIUS server.
– Petr W.
Apr 23 '18 at 14:27
ecdsa, thank you very much for your help once more. Strongswan server is now working together with FreeRADIUS + MySQL without problems and a lot of users in usergroups that have access rights via EAP-MSCHAP to the appropriate ranges in appropriate networks:-)
– Petr W.
May 5 '18 at 19:25
add a comment |
Thank you very much for your answer. I will test it. My first idea was change the mschap-eap authentication to eap-tls and use different client's certificates and conn section for each group but I don't know if it would be the right way.
answered Apr 18 '18 at 17:26
Petr W.Petr W.
33
Thank you very much for your answer. I will test it. My first idea was change the mschap-eap authentication to eap-tls and use different client's certificates and conn section for each group but I don't know if it would be the right way.
answered Apr 18 '18 at 17:26
Petr W.Petr W.
33
answered Apr 18 '18 at 17:26
Petr W.Petr W.
33
answered Apr 18 '18 at 17:26
Petr W.Petr W.
33
answered Apr 18 '18 at 17:26
Petr W.Petr W.
33
33
Sorry, didn't see this before. Did you mean to add this as a comment to my answer? Anyway, EAP-TLS wouldn't make much of a difference as there again is the problem that switching based on EAP identities isn't fully supported (and different client implementations may use different forms of EAP identities when using certificates). Using plain certificate authentication may be an alternative as that allows matching configs via subject DN (even with wildcards), however, the identities sent might still depend on the client (some send the full subject DN, others the CN, or a SAN).
– ecdsa
Apr 20 '18 at 11:31
Hm, my idea with certificates was not good. I'll have to solve it with RADIUS server.
– Petr W.
Apr 23 '18 at 14:27
ecdsa, thank you very much for your help once more. Strongswan server is now working together with FreeRADIUS + MySQL without problems and a lot of users in usergroups that have access rights via EAP-MSCHAP to the appropriate ranges in appropriate networks:-)
– Petr W.
May 5 '18 at 19:25
add a comment |
Sorry, didn't see this before. Did you mean to add this as a comment to my answer? Anyway, EAP-TLS wouldn't make much of a difference as there again is the problem that switching based on EAP identities isn't fully supported (and different client implementations may use different forms of EAP identities when using certificates). Using plain certificate authentication may be an alternative as that allows matching configs via subject DN (even with wildcards), however, the identities sent might still depend on the client (some send the full subject DN, others the CN, or a SAN).
– ecdsa
Apr 20 '18 at 11:31
Hm, my idea with certificates was not good. I'll have to solve it with RADIUS server.
– Petr W.
Apr 23 '18 at 14:27
ecdsa, thank you very much for your help once more. Strongswan server is now working together with FreeRADIUS + MySQL without problems and a lot of users in usergroups that have access rights via EAP-MSCHAP to the appropriate ranges in appropriate networks:-)
– Petr W.
May 5 '18 at 19:25
Sorry, didn't see this before. Did you mean to add this as a comment to my answer? Anyway, EAP-TLS wouldn't make much of a difference as there again is the problem that switching based on EAP identities isn't fully supported (and different client implementations may use different forms of EAP identities when using certificates). Using plain certificate authentication may be an alternative as that allows matching configs via subject DN (even with wildcards), however, the identities sent might still depend on the client (some send the full subject DN, others the CN, or a SAN).
– ecdsa
Apr 20 '18 at 11:31
Sorry, didn't see this before. Did you mean to add this as a comment to my answer? Anyway, EAP-TLS wouldn't make much of a difference as there again is the problem that switching based on EAP identities isn't fully supported (and different client implementations may use different forms of EAP identities when using certificates). Using plain certificate authentication may be an alternative as that allows matching configs via subject DN (even with wildcards), however, the identities sent might still depend on the client (some send the full subject DN, others the CN, or a SAN).
– ecdsa
Apr 20 '18 at 11:31
Hm, my idea with certificates was not good. I'll have to solve it with RADIUS server.
– Petr W.
Apr 23 '18 at 14:27
Hm, my idea with certificates was not good. I'll have to solve it with RADIUS server.
– Petr W.
Apr 23 '18 at 14:27
ecdsa, thank you very much for your help once more. Strongswan server is now working together with FreeRADIUS + MySQL without problems and a lot of users in usergroups that have access rights via EAP-MSCHAP to the appropriate ranges in appropriate networks:-)
– Petr W.
May 5 '18 at 19:25
ecdsa, thank you very much for your help once more. Strongswan server is now working together with FreeRADIUS + MySQL without problems and a lot of users in usergroups that have access rights via EAP-MSCHAP to the appropriate ranges in appropriate networks:-)
– Petr W.
May 5 '18 at 19:25
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f908098%2fstrongswan-clients-access-rights%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
