Last active
November 5, 2016 18:48
-
-
Save skids/9234349e88b68b855672823d6144810d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| connections { | |
| swan { | |
| pools = students | |
| remote { | |
| id = %any | |
| auth = eap-radius | |
| } | |
| include swanctl_swan.conf | |
| } | |
| swan-itsadmin { | |
| pools = itsadmin | |
| remote { | |
| id = %any | |
| auth = eap-radius | |
| groups = swan-itsadmin | |
| } | |
| include swanctl_swan.conf | |
| } | |
| } | |
| ...this ends up in connection "swan"... | |
| 09[CFG] candidate "swan", match: 20/1/1052 (me/other/ike) | |
| 09[CFG] peer config match local: 20 (ID_FQDN -> XXY) | |
| 09[CFG] peer config match remote: 1 (ID_RFC822_ADDR -> YYY) | |
| 09[CFG] ike config match: 1052 (XXX.XXX.255.64 YYY.YYY.YYY.YYY IKEv2) | |
| 09[CFG] candidate "swan-itsadmin", match: 20/1/1052 (me/other/ike) | |
| 09[CFG] selected peer config 'swan' | |
| 09[CFG] RADIUS server 'localvpn' is candidate: 210 | |
| 09[CFG] sending RADIUS Access-Request to server 'localvpn' | |
| ... | |
| 05[IKE] received RADIUS attribute Filter-Id: 'swan-itsadmin' | |
| 05[IKE] RADIUS authentication of 'XXX.XXX.XXX' successful | |
| 05[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established | |
| 05[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ] | |
| connections { | |
| swan { | |
| pools = students | |
| remote { | |
| id = %any | |
| auth = eap-radius | |
| group = kickout | |
| } | |
| include swanctl_swan.conf | |
| } | |
| swan-itsadmin { | |
| pools = itsadmin | |
| remote { | |
| id = %any | |
| auth = eap-radius | |
| groups = swan-itsadmin | |
| } | |
| include swanctl_swan.conf | |
| } | |
| } | |
| 15[IKE] received RADIUS attribute Filter-Id: 'swan-itsadmin' | |
| 15[IKE] RADIUS authentication of 'XXX@XXX.XXX' successful | |
| 15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established | |
| 15[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ] | |
| 15[NET] sending packet: from XXX.XXX.255.64[4500] to YYY.YYY.YYY.YYY[4500] (80 bytes) | |
| 09[NET] received packet: from YYY.YYY.YYY.YYY[4500] to XXX.XXX.255.64[4500] (112 bytes) | |
| 09[ENC] parsed IKE_AUTH request 4 [ AUTH ] | |
| 09[IKE] authentication of 'XXX@XXX.XXX' with EAP successful | |
| 09[CFG] constraint check failed: group membership to 'swan-itsadmin' required | |
| 09[CFG] selected peer config 'swan-itsadmin' inacceptable: non-matching authentication done | |
| I know this file is being read, as it is using the nas_identifier from it: | |
| /etc/strongswan/strongswan.d/charon/eap-radius.conf: | |
| eap-radius { | |
| load = yes | |
| accounting = yes | |
| accounting_close_on_timeout = yes | |
| accounting_interval = 600 | |
| accounting_requires_vip = yes | |
| close_all_on_timeout = no | |
| # Use filter_id attribute as group membership information. | |
| filter_id = yes | |
| # NAS-Identifier to include in RADIUS messages. | |
| nas_identifier = VPNB | |
| sockets = 32 | |
| } | |
| ...plus a server { } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment