PS - the EAPRadius configuration seems to use Xauth as the primary means to lookup users. In my case I have a user identifier in the client certifcate common name. Could I have the Radius plugin lookup the group based on that as the username? Or otherwise, is there another means to lookup groups than via xauth?
I'd be happy to write a plugin to do my custom behavior if someone could give me a pointer in the right direction. Is the eap_radius plugin a good place to start? Or is there a simpler plugin I could look at to start with? Do any other plugins deal with mapping incoming users to groups? My primitive idea of what I would like to accomplish is: a plugin which extracts the username from the common-name of the client cert, look it up in a hash table (or file) and return a group name which can be used to match on in traffic selectors. Or to come at it from another direction - would an updown script be a good place to assign a group? e.g. at the "up" stage the script goes off and does some atrbitrary checks and sets a $GROUP variable which can be matched on in traffic selectors? Or is it already too late to match traffic selectors by the time it hits those scripts? I'd appreciate any pointers/feedback. Thanks. On Thu, Nov 7, 2013 at 12:31 AM, Raoul Duke <[email protected]> wrote: > Hi, > > I have dozens (potentially hundreds) of user groupings. I would like to > assign each group an IP block/range so I can identify the groups in > upstream proxy logs etc. > > I'm aware that the recommended solution for identifying users by group is: > > http://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius > > My questions are: > 1] is the EAP Radius setup compatible with IOS clients (ikev1). I have > read that EAP is a ikev1 concept so my assumption was that it may not work. > Can you please clarify? > > > 2] in the above Wiki the traffic selectors for each group are in the > config file. Can the group to traffic selector mappings be configured more > dynamically somehow/? (e.g. > http://wiki.strongswan.org/projects/strongswan/wiki/SQL - if so is this > a stable plugin?) > > > > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
