Hi Jordan, > I am having difficulty getting strongSwan select the right IKEv1 > configuration based on group attributes returned from radius server.
Providing group membership through XAuth backends, but also the enforcement of the same in XAuth is actually not supported yet in 5.0. > rightgroups="group1" > rightauth=pubkey > rightauth2=xauth-eap Setting rightgroups is not correct, because it applies to the first authentication round. That "pubkey" round does not provide the group information you require, hence the connection fails. To enforce group membership in (non Hybrid mode) XAuth, you'd have to set rightgroups2="group1". Such a parameter does not exist, but I've pushed a patch [1] that adds this option to ipsec.conf. I've pushed a few [2] other [3] patches [4] that apply the group information from XAuth backends and check compliance against the configuration. Currently missing is the connection fallback, though. So if your first connection does not comply, the setup fails without switching to a potentially matching connection. I'll try to get this implemented ASAP, but this requires some work. Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=46df61df [2]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=9191946a [3]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=874f7c7e [4]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=40ca05cf _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
