I am working on a Linux (Debian 7) VPN concentrator for different kinds of remote access. One of the offered protocols is L2TP/IPsec because of the client availability. I am using xl2tpd which in turn uses pppd and pppd authenticates users via a RADIUS server.
What we would like to achieve now is controlling network access based on the user connecting to the VPN. For example, user A should be able to access only subnet X while user B should be able to access subnet only Y. In fact, this is similar to dynamic VLAN assignment for WLAN. Unfortunately I could not find (correct me if I am wrong) an out of the box solution for L2TP/IPSec VPNs under Linux. I came up with an idea which might do the trick, but it looks like a fair amount of work and therefore I would like to know if it contains any obvious flaws or if there is even an easier way.
The idea: use the dynamic VLAN assignment attributes from RADIUS (especially Tunnel-Private-Group-Id) and the radattr.so plugin for ppp. xl2tpd assigns each connected client a new virtual interface pppX and the plugin creates a file /var/run/radattr.pppX containing all the attributes received from the RADIUS server. These attributes could be used by a ppp-ifup script to assign the newly created virtual interface to a Linux bridgeport with the corresponding VLAN.
- Has anyone built such a configuration yet?
- Is there anything preventing this to work?
- Would you generally discourage this configuration for some reason?
Thanks in advance
