Feature #10748
Add support for limiting IPsec VPN access per user group via RADIUS
100%
Description
Hello,
We've set up an IPsec VPN for road warriors with RADIUS auth, but, unfortunately, it seems that there is currently no way to limit which users have VPN access via groups (class attribute) in the WebGUI. Apparently, it is already supported by strongSwan, see here:
https://wiki.strongswan.org/projects/strongswan/wiki/EAPRadius#Group-selection
I think that the configuration should look like this, but I don't know how to enter it in the GUI:
strongswan.conf
charon {
plugins {
eap-radius {
class_group = yes
...
}
}
}
ipsec.conf
conn test
rightgroups = "VPNUsers"
Additional RADIUS Attributes (REPLY-ITEM) needed can already be entered using the FreeRADIUS settings page:
Class := "admins; VPNUsers"
This already works to set group memberships e.g. for WebGUI authentication, but sadly not yet for VPN.
Thanks!
Associated revisions
History
#1
Updated by Viktor Gurov 9 months ago
Updated by - Target version set to 2.5.0
#2
Updated by Yury Zaytsev 9 months ago
Updated by Relates to #935, which was apparently already requested 10 years ago, and implemented 5 years ago, but then got lost during refactoring / redesign :)
P.S. I can't edit my original submission, but if anyone is up to updating docs, I'm afraid that I've made a typo and there shouldn't be spaces between classes - not sure it actually breaks anything though...
Class := "admins;VPNUsers"
#3
Updated by Jim Pingle 9 months ago
Updated by - Status changed from New to Pull Request Review
#4
Updated by Renato Botelho 8 months ago
Updated by - Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
#5
Updated by Yury Zaytsev 8 months ago
Awesome, thank you very much!
#6
Updated by Steve Beaver 6 months ago
Updated by - Status changed from Feedback to Resolved
IPsec Mobile RADIUS Group authentication. Implements #10748