Hello Tobias, Thank you, for your help on this. I have managed to utilise eap-radius plugin to listen to disconnect messages from Freeradius.
I get strange reporting in the logs. It seems that StrongSwan rejects the initial disconnect message with a NAK. (4) Sent Disconnect-Request Id 11 from 0.0.0.0:42481 to 127.0.0.1:3799 length 28 (4) User-Name = "houman" (4) Sent Accounting-Response Id 178 from 127.0.0.1:1813 to 127.0.0.1:51530 length 0 (4) Finished request (4) Cleaning up request packet ID 178 with timestamp +6 Waking up in 2.1 seconds. (4) Clearing existing &reply: attributes (4) Received Disconnect-NAK Id 11 from 127.0.0.1:3799 to 127.0.0.1:42481 length 20 What attributes *should* be in the Disconnect-Request beside User-Name? Is there anything else I need to avoid getting a NAK from StrongSwan? Many Thanks, Houman On Tue, 10 Sep 2019 at 12:02, Tobias Brunner <tob...@strongswan.org> wrote: > Hi Houman, > > > Do you think that is possible to do via FreeRadius? > > See [1]. > > > Just to be > > clear there is always a 1:1 relationship between IKE_SA and a user at a > > time, correct? > > Probably, that is, if you don't allow multiple IKE_SAs per user identity. > > > If I end an IKE_SA, I won't be kicking several users by > > mistake? > > Not if you do so by unique ID (by name wouldn't be a good idea because > all IKE_SAs by roadwarriors will share the name of the connection). > > > So in other words what > > I'm trying to achieve is possible with Vici right? > > Yes. > > Regards, > Tobias > > [1] > > https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Session-Timeout-and-Dynamic-Authorization-Extension >