Hello,
I'm using Strongswan for remote user access to server infrastructure on
remote site. Currently I'm using eap-radius authentication with Windows
NPS and it works fine. The right auth part of conn config:
right=%any
rightauth=eap-radius
rightsendcert=never
eap_identity=%identity
I would like to have a possibility to authenticate technical support
users with local secrets (i.e. rightauth=eap-mschapv2) in case of RADIUS
server unavailability. Is there a way to have 2 auth methods
simultaneously for right=%any anyhow? Or maybe some fallback mechanism?
Now I see the only way is to have separate public IP on external
Strongswan interface and have another conn section for this IP. It seems
not very straightforward solution.
As an example, on Cisco router I would create 2 access groups and have 2
profiles on Cisco VPN client: one for local auth, one for RADIUS.
Any thoughts? Technical support clients are mostly Windows built-in VPN.
--
Best regards,
Dmitry Soloshenko
