Hi Raoul, > 1] is the EAP Radius setup compatible with IOS clients (ikev1). I have > read that EAP is a ikev1 concept so my assumption was that it may not work. > Can you please clarify?
EAP is an IKEv2 concept and is not supported in IKEv1. However, IKEv1 has the XAuth extension, and the eap-radius plugin can act as an XAuth backend as well starting with 5.1.0. > 2] in the above Wiki the traffic selectors for each group are in the config > file. Can the group to traffic selector mappings be configured more > dynamically somehow/? (e.g. [...]/SQL - if so is this a stable plugin?) The sql plugin is stable, but there are currently no options to define group membership requirements for connections (rightgroups). And there is no frontend to populate your database. > the EAPRadius configuration seems to use Xauth as the primary > means to lookup users. In my case I have a user identifier in the > client certifcate common name. Could I have the Radius plugin lookup > the group based on that as the username? The primary intention for eap-radius is to authenticate EAP/XAuth users. So no, it is currently not supported to do any dedicated group lookup for IKE/certificate identities. > I'd be happy to write a plugin to do my custom behavior if someone > could give me a pointer in the right direction. Is the eap_radius > plugin a good place to start? Or is there a simpler plugin I could > look at to start with? If you write something like that for IKEv1, I'd recommend to go for an XAuth backend. I think this is the only scenario where we currently support late configuration switching (based on group information) for IKEv1. The eap_radius_xauth.c is certainly a good starting point, but you might go for a simpler XAuth backend for the start (xauth-generic). Your additional functionality should add the AUTH_RULE_GROUP to the current IKE_SA remote authentication round. eap-radius does this at [1], eap-tnc also sets group membership at [2] based on the IMV recommendation. > My primitive idea of what I would like to accomplish is: a plugin > which extracts the username from the common-name of the client cert, > look it up in a hash table (or file) and return a group name which can > be used to match on in traffic selectors. Certificate information can be accessed by getting AUTH_RULE_SUBJECT_CERT from the auth config of the first authentication round. During XAuth, you have to query the authentication round of the Main/Agressive mode using ike_sa_t.create_auth_cfg_enumerator(). Once you got the certificate, you can get its subject and use the identification_t.create_part_enumerator() to query the CN of it. > Or to come at it from another direction - would an updown script be a > good place to assign a group? No, updown can't return any information to the daemon. Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/eap_radius/eap_radius.c#l297 [2]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/eap_tnc/eap_tnc.c#l98 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
