Project

General

Profile

Actions

Regression #11447

closed

EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration attributes

Added by Jim Pingle about 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/18/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

When using IKEv2 EAP-RADIUS mobile IPsec and assigning client addresses from RADIUS, the pools configuration is omitted from swanctl.conf.

The pools and mobile-pool blocks are omitted since there are no addresses known for clients. The RADIUS config is in strongswan.conf

May still need to still define the pools without addresses (if possible) or find other compatible syntax.


Related issues

Related to Bug #11891: strongSwan configuration contains incorrect structure for mobile pool DNS recordsResolvedJim Pingle05/05/2021

Actions
Actions #1

Updated by Jim Pingle about 3 years ago

  • Assignee set to Jim Pingle

As a workaround, define a pool network. Clients will still pull their assigned addresses from RADIUS and the other settings will be populated in the configuration and make it to clients.

Actions #3

Updated by Jim Pingle about 3 years ago

  • Status changed from New to Pull Request Review
Actions #4

Updated by Renato Botelho about 3 years ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #5

Updated by Jim Pingle about 3 years ago

  • Status changed from Feedback to Waiting on Merge
  • Target version changed from CE-Next to 2.5.1
Actions #6

Updated by Renato Botelho about 3 years ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

Actions #7

Updated by Jim Pingle about 3 years ago

To test:

  • Setup mobile IPsec using IKEv2 and EAP-RADIUS against a RADIUS server
  • Leave the Virtual Address Pool empty so that clients pull addresses from RADIUS
  • Fill in DNS server information
  • Check the generated swanctl.conf for the configured DNS servers and they will be missing

On a snapshot with the fix, the swanctl.conf file will contain the necessary pool configuration data.

Actions #8

Updated by Viktor Gurov about 3 years ago

Jim Pingle wrote:

To test:

  • Setup mobile IPsec using IKEv2 and EAP-RADIUS against a RADIUS server
  • Leave the Virtual Address Pool empty so that clients pull addresses from RADIUS
  • Fill in DNS server information
  • Check the generated swanctl.conf for the configured DNS servers and they will be missing

On a snapshot with the fix, the swanctl.conf file will contain the necessary pool configuration data.

Still not working as expected.
It looks like we need to use strongswan.conf for this (pre-2.5 style).

Actions #9

Updated by Jim Pingle about 3 years ago

  • Target version changed from 2.5.1 to CE-Next

If it needs that kind of more involved work then we can look at it deeper for the next release after this.

Actions #10

Updated by Jim Pingle almost 3 years ago

  • Target version changed from CE-Next to 2.6.0
Actions #11

Updated by Jim Pingle almost 3 years ago

  • Plus Target Version set to 21.05
Actions #12

Updated by Jim Pingle almost 3 years ago

Already in 21.05 branch.

Actions #13

Updated by Jim Pingle almost 3 years ago

  • Status changed from Feedback to New
  • Plus Target Version changed from 21.05 to 21.09

Reverted changes for now, they were causing the configuration to fail. Can try again before the next release.

Actions #14

Updated by Viktor Gurov over 2 years ago

revert to pre-2.5 style (attr in strongswan.conf) which works fine:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/314

Actions #15

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Pull Request Review
Actions #16

Updated by Jim Pingle over 2 years ago

  • Related to Bug #11891: strongSwan configuration contains incorrect structure for mobile pool DNS records added
Actions #17

Updated by Anonymous over 2 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #18

Updated by Jim Pingle over 2 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions #19

Updated by Pedro Ribeiro over 2 years ago

I recently hit this bug where IKEv2 EAP-RADIUS clients were not getting their DNS server.

Apologies for the comment, but in case it helps anyone, a helpful workaround is to pass parameters from FreeRADIUS for the affected users, eg. for DNS server in Additional RADIUS Attributes (REPLY-ITEM) insert MS-Primary-DNS-Server = x.x.x.x. This matches well with the docs at https://wiki.strongswan.org/projects/strongswan/wiki/EAPRADIUS.

Actions #20

Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF