Project

General

Profile

Regression #11447

EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration attributes

Added by Jim Pingle about 2 months ago. Updated 28 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/18/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
Release Notes:
Default

Description

When using IKEv2 EAP-RADIUS mobile IPsec and assigning client addresses from RADIUS, the pools configuration is omitted from swanctl.conf.

The pools and mobile-pool blocks are omitted since there are no addresses known for clients. The RADIUS config is in strongswan.conf

May still need to still define the pools without addresses (if possible) or find other compatible syntax.

Associated revisions

Revision c03a2049 (diff)
Added by Viktor Gurov about 2 months ago

IPsec Mobile EAP-RADIUS additional configuration fix. Issue #11447

Revision b19bb324 (diff)
Added by Viktor Gurov about 1 month ago

IPsec Mobile EAP-RADIUS additional configuration fix. Issue #11447

(cherry picked from commit c03a2049b11304f592d0de78aa4bfb568e9a13ae)

History

#1 Updated by Jim Pingle about 2 months ago

  • Assignee set to Jim Pingle

As a workaround, define a pool network. Clients will still pull their assigned addresses from RADIUS and the other settings will be populated in the configuration and make it to clients.

#3 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review

#4 Updated by Renato Botelho about 2 months ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

#5 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Waiting on Merge
  • Target version changed from CE-Next to 2.5.1

#6 Updated by Renato Botelho about 1 month ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

#7 Updated by Jim Pingle about 1 month ago

To test:

  • Setup mobile IPsec using IKEv2 and EAP-RADIUS against a RADIUS server
  • Leave the Virtual Address Pool empty so that clients pull addresses from RADIUS
  • Fill in DNS server information
  • Check the generated swanctl.conf for the configured DNS servers and they will be missing

On a snapshot with the fix, the swanctl.conf file will contain the necessary pool configuration data.

#8 Updated by Viktor Gurov 28 days ago

Jim Pingle wrote:

To test:

  • Setup mobile IPsec using IKEv2 and EAP-RADIUS against a RADIUS server
  • Leave the Virtual Address Pool empty so that clients pull addresses from RADIUS
  • Fill in DNS server information
  • Check the generated swanctl.conf for the configured DNS servers and they will be missing

On a snapshot with the fix, the swanctl.conf file will contain the necessary pool configuration data.

Still not working as expected.
It looks like we need to use strongswan.conf for this (pre-2.5 style).

#9 Updated by Jim Pingle 28 days ago

  • Target version changed from 2.5.1 to CE-Next

If it needs that kind of more involved work then we can look at it deeper for the next release after this.

Also available in: Atom PDF