Hi Trevor, >>> So I then tried user certs to select on EAP identity in the user >>> cert. Set that up then finally found a couple of emails/sites that >>> said strongswan can't switch conns based on identitiy. >> >> That's not entirely true. If you delegate the authentication to a >> RADIUS server it can send back class attributes that strongSwan can >> use to select configs (via rightgroups=<class>). That makes it easy >> to use different configs for multiple groups of users. >> >> But even without RADIUS you can match configs against EAP identities. >> It requires a dummy config that requests the EAP identities from the >> clients, though. Let's say you have two clients, one is >> [email protected] and one is [email protected], then you may configure the >> following: > > That's even better! Great idea. I sure did a lot of searching and I > never found mention of that rightgroups trick. I just set it up and it > works! I had to add one more thing, though (for others reading this), > you have to add rightgroups= (i.e. blank) on the final matching conn > (i.e. eap-tls-trevor) or it will never match either.
That probably depends on which connection you include with the also keyword. In my example only the eap-tls-init connection has rightgroups set, which is not included in the other two connections (they include the eap-tls-shared connection, which eap-tls-init also includes). If you define rightgroups in the shared connection or in conn %default you do have to clear it in the "end" connections. > eap_identity doesn't seem to allow wildcards (does it?) so I'll need a > conn for every single user. I was hoping to to group them with > wildcards, like eap_identity=roadwarrior*@foo.com and > eap_identity=proxy*@foo.com. Wildcards are supported, but wildcards like above are currently not supported by strongSwan at all. In email addresses you can only match domains, i.e. what would work is something like *@roadwarrior.foo.com and *@proxy.foo.com. > My only other concern is now I have the exact same rightsourceip range > set in multiple conn stanzas (i.e. rightsourceip=10.1.1.0/24. I'm > hoping strongswan will lump identical rightsourceip's all together so > the first connection hitting eap-tls-trevor-roadwarrior gets, say, > 10.1.1.1, and eap-tls-carol-roadwarrior (connecting while trevor is > still connected) gets 10.1.1.2 (and not 10.1.1.1!). i.e. the > rightsourceip ranges are considered/assigned globally, not per conn > stanza. Yes, the pools are merged (provided they are exactly the same in all the connections, no matter if defined directly or included via also keyword or conn %default). > Is there a way to donate a modest amount to the project or to you > personally? You (and a few others) provide the best support I think > I've ever seen for an open source project. No small feat seeing as how > it's an insanely complex piece of software. Thanks. We have a Bitcoin donation button on wiki.strongswan.org, but that is currently defunct. Maybe we can get that up again soon. Regards, Tobias
