Building a VPN service with strongSwan, I need to distinguish between several groups of users where each group is assigned a certain subnet with certain permissions (i.e. "group x" has access only to a specific part of the local subnet, e.g. 192.168.10.10/32).
The official strongSwan wiki only allows so-called "group selection" with a RADIUS-server.
Now, according to the Wiki, there's two possibilities to gain group membership information; either by reading and interpreting the class attribute sent within a RADIUS-Accept response or by interpreting the Filter-Id attribute. The article does not highlight the (dis-)advantages of one method or the other.
Although I felt like using a RADIUS-server like FreeRADIUS was a bit of an overkill - I would have preferred a solution provided by strongSwan, some plugin etc - I set up and configured FreeRadius and that's where I got stuck.
I stuck with the first method (using the class attribute to send back group membership info).
In the configuration file for the rlm_files module (freeradius/3.0/mods_config/files/authorize
) I set up Bob:
#
# The canonical testing user which is in most of the
# examples.
#
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
# Class := "myclass"
Authentication works without issues, the only thing that's missing is the class attribute. This page lists all available FreeRADIUS attributes. I looked for the Class attribute and tried to set a value (see above) which the daemon failed to read.
The file also clearly says
Indented (with the tab character) lines following the first line indicate the configuration values to be passed back to the comm server to allow the initiation of a user session. This can include things like the PPP configuration values or the host to log the user onto.
Searching the net, this post on serverfault seems to use a similar approach but with another LDAP server. So far, there was no need for an LDAP server and that would mean another dependency or another service to rely on.
I also can't use cleartext passwords (like Bob does), instead, I'd prefer certificate-based authentication.
What's the right way to set up FreeRADIUS (and, if necessary, any other dependencies) for group-based policies? What possibilities do I have?