0

Building a VPN service with strongSwan, I need to distinguish between several groups of users where each group is assigned a certain subnet with certain permissions (i.e. "group x" has access only to a specific part of the local subnet, e.g. 192.168.10.10/32).

The official strongSwan wiki only allows so-called "group selection" with a RADIUS-server.

Now, according to the Wiki, there's two possibilities to gain group membership information; either by reading and interpreting the class attribute sent within a RADIUS-Accept response or by interpreting the Filter-Id attribute. The article does not highlight the (dis-)advantages of one method or the other.

Although I felt like using a RADIUS-server like FreeRADIUS was a bit of an overkill - I would have preferred a solution provided by strongSwan, some plugin etc - I set up and configured FreeRadius and that's where I got stuck.

I stuck with the first method (using the class attribute to send back group membership info).

In the configuration file for the rlm_files module (freeradius/3.0/mods_config/files/authorize) I set up Bob:

#
# The canonical testing user which is in most of the
# examples.
#
bob     Cleartext-Password := "hello"
        Reply-Message := "Hello, %{User-Name}"
#       Class := "myclass"

Authentication works without issues, the only thing that's missing is the class attribute. This page lists all available FreeRADIUS attributes. I looked for the Class attribute and tried to set a value (see above) which the daemon failed to read.

The file also clearly says

Indented (with the tab character) lines following the first line indicate the configuration values to be passed back to the comm server to allow the initiation of a user session. This can include things like the PPP configuration values or the host to log the user onto.

Searching the net, this post on serverfault seems to use a similar approach but with another LDAP server. So far, there was no need for an LDAP server and that would mean another dependency or another service to rely on.

I also can't use cleartext passwords (like Bob does), instead, I'd prefer certificate-based authentication.

What's the right way to set up FreeRADIUS (and, if necessary, any other dependencies) for group-based policies? What possibilities do I have?

j3141592653589793238
  • 75
  • 8
  • Is that last line of the `authorize` file commented out on purpose? – ecdsa Nov 06 '19 at 16:17
  • Yes, it is, because as I said, the daemon failed to read that line. @ecdsa – j3141592653589793238 Nov 06 '19 at 16:22
  • Did you try without the colon? (i.e. `Class = "myclass"`) That's at least how it's done in [this](https://www.strongswan.org/testing/testresults/ikev2/rw-eap-md5-class-radius/) test scenario (`users` file). – ecdsa Nov 07 '19 at 07:27
  • Uh, actually, I just figured out that it works with both with and without the colon. It just doesn't like `Reply-Message` and `Class` together. So when leaving out the `Reply-Message` attribute, it works fine. I wonder why though? In the example you provided, the `Class` attribute is also indented twice. I don't know if that's related. @ecdsa – j3141592653589793238 Nov 07 '19 at 11:08

1 Answers1

2

You're missing the comma at the end of the Reply-Message line.

See the examples in the users file man page.

Arran Cudbard-Bell
  • 1,514
  • 1
  • 9
  • 18
  • You're so right, what a bummer. I missed that one. I got one more question though: Having moved to EAP-TLS for certificate based authentication, will the users file still be read and processed? Cause that doesn't seem to be the case right now. In other words, the only thing I need to accomplish is to specify the Class attribute based on the username. So I thought the easiest way to do so is by making use of the user file as above. Would you mind including that part in your answer as well? – j3141592653589793238 Nov 07 '19 at 15:50
  • That's really a separate question. Happy to answer it if you ask it as a new question and post the link in the comments. – Arran Cudbard-Bell Nov 07 '19 at 15:52
  • Thanks, on my way. – j3141592653589793238 Nov 07 '19 at 15:53
  • Please see the new question here: https://serverfault.com/questions/991017/how-to-configure-freeradius-with-eap-tls-and-group-based-authorization – j3141592653589793238 Nov 07 '19 at 20:54