Am 04.12.18 um 14:09 schrieb Dmitry Soloshenko: > Hello, Tobias. > > Thank you for response. > >>> As an example, on Cisco router I would create 2 access groups and >>> have 2 >>> profiles on Cisco VPN client: one for local auth, one for RADIUS. >> And how/when does it switch between the two? > In Cisco VPN client access group name is specified in profile > settings and this name is sent to VPN server during connection. User > selects specific profile to connect to VPN server. > For different access groups there are separate sections in config on > VPN server, so one can specify different auth methods.
You can configure this with policies in the FreeRADIUS server. >>> Any thoughts? Technical support clients are mostly Windows built-in >>> VPN. >> That's bad, because that client neither sends a remote identity (IDr is >> never sent), nor any useful client identity (IDi, which just contained >> the private IP address at one time when EAP was used, but that might >> depend on the Windows version). So with such clients your options are >> limited, I'm afraid (using machine certificates, i.e. not EAP-TLS, would >> work though). > Ok, I think I may try machine certificates. > FreeRADIUS is very configurable. You can set up policies that trigger if certain conditions hold. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
signature.asc
Description: OpenPGP digital signature
