On 2018-02-27 Tobias Brunner wrote: > Hi Trevor, > > > Is PLUTO_XAUTH_ID (as passed to a user-defined updown script) 100% > > Yes, it's trustworthy. While the client can send an arbitrary value, > it has to match an identity in the certificate (either the subject DN > or a SAN).
That's great news! > > So I then tried user certs to select on EAP identity in the user > > cert. Set that up then finally found a couple of emails/sites that > > said strongswan can't switch conns based on identitiy. > > That's not entirely true. If you delegate the authentication to a > RADIUS server it can send back class attributes that strongSwan can > use to select configs (via rightgroups=<class>). That makes it easy > to use different configs for multiple groups of users. > > But even without RADIUS you can match configs against EAP identities. > It requires a dummy config that requests the EAP identities from the > clients, though. Let's say you have two clients, one is > [email protected] and one is [email protected], then you may configure the > following: That's even better! Great idea. I sure did a lot of searching and I never found mention of that rightgroups trick. I just set it up and it works! I had to add one more thing, though (for others reading this), you have to add rightgroups= (i.e. blank) on the final matching conn (i.e. eap-tls-trevor) or it will never match either. eap_identity doesn't seem to allow wildcards (does it?) so I'll need a conn for every single user. I was hoping to to group them with wildcards, like eap_identity=roadwarrior*@foo.com and eap_identity=proxy*@foo.com. But that's ok, I'll just have a script generate all the per-user stanzas for ipsec.conf. There's no RADIUS server at our site, so that's a no go, so I'm glad I don't require one to do this. Seems a pain to set one up just for this purpose :-) > If carol connects now you'd see something like this in the log: Yes, you're exactly right. I would never have guessed this approach was possible, and in all my research I never found it documented. It should be noted somewhere (though at least this email now documents it. I still can't have it so I can access >1 connection type from the *same* user in Windows 7, as they give you no way to pick which user cert is used from the personal store (from what I can tell). However, I can live with this limitation and setup a different Windows user for each connection type I want. Works great! My only other concern is now I have the exact same rightsourceip range set in multiple conn stanzas (i.e. rightsourceip=10.1.1.0/24. I'm hoping strongswan will lump identical rightsourceip's all together so the first connection hitting eap-tls-trevor-roadwarrior gets, say, 10.1.1.1, and eap-tls-carol-roadwarrior (connecting while trevor is still connected) gets 10.1.1.2 (and not 10.1.1.1!). i.e. the rightsourceip ranges are considered/assigned globally, not per conn stanza. I'm sure this must be the case, as I could easily have another intermediate stanza, say eap-tls-shared-roadwarrior that eap-tls-trevor-roadwarrior also's which contains the rightsourceip, in which case it would not be duplicated in any other stanza, even though it is used in many sub-stanzas. Thanks so much! Having this working is really awesome. I learned way more about ipsec + strongswan than I ever wanted to, but it was worth it in the end. (The biggest problem being Windows is braindead.) Is there a way to donate a modest amount to the project or to you personally? You (and a few others) provide the best support I think I've ever seen for an open source project. No small feat seeing as how it's an insanely complex piece of software.
