Regression #11447
closed
EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration attributes
Added by Jim Pingle almost 4 years ago.
Updated almost 3 years ago.
Plus Target Version:
22.01
Description
When using IKEv2 EAP-RADIUS mobile IPsec and assigning client addresses from RADIUS, the pools configuration is omitted from swanctl.conf.
The pools and mobile-pool blocks are omitted since there are no addresses known for clients. The RADIUS config is in strongswan.conf
May still need to still define the pools without addresses (if possible) or find other compatible syntax.
- Assignee set to Jim Pingle
As a workaround, define a pool network. Clients will still pull their assigned addresses from RADIUS and the other settings will be populated in the configuration and make it to clients.
- Status changed from New to Pull Request Review
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
- Status changed from Feedback to Waiting on Merge
- Target version changed from CE-Next to 2.5.1
- Status changed from Waiting on Merge to Feedback
Cherry-picked to RELENG_2_5_1
To test:
- Setup mobile IPsec using IKEv2 and EAP-RADIUS against a RADIUS server
- Leave the Virtual Address Pool empty so that clients pull addresses from RADIUS
- Fill in DNS server information
- Check the generated swanctl.conf for the configured DNS servers and they will be missing
On a snapshot with the fix, the swanctl.conf file will contain the necessary pool configuration data.
Jim Pingle wrote:
To test:
- Setup mobile IPsec using IKEv2 and EAP-RADIUS against a RADIUS server
- Leave the Virtual Address Pool empty so that clients pull addresses from RADIUS
- Fill in DNS server information
- Check the generated swanctl.conf for the configured DNS servers and they will be missing
On a snapshot with the fix, the swanctl.conf file will contain the necessary pool configuration data.
Still not working as expected.
It looks like we need to use strongswan.conf for this (pre-2.5 style).
- Target version changed from 2.5.1 to CE-Next
If it needs that kind of more involved work then we can look at it deeper for the next release after this.
- Target version changed from CE-Next to 2.6.0
- Plus Target Version set to 21.05
- Status changed from Feedback to New
- Plus Target Version changed from 21.05 to 21.09
Reverted changes for now, they were causing the configuration to fail. Can try again before the next release.
- Status changed from New to Pull Request Review
- Related to Bug #11891: strongSwan configuration contains incorrect structure for mobile pool DNS records added
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
- Plus Target Version changed from 21.09 to 22.01
I recently hit this bug where IKEv2 EAP-RADIUS clients were not getting their DNS server.
Apologies for the comment, but in case it helps anyone, a helpful workaround is to pass parameters from FreeRADIUS for the affected users, eg. for DNS server in Additional RADIUS Attributes (REPLY-ITEM) insert MS-Primary-DNS-Server = x.x.x.x. This matches well with the docs at https://wiki.strongswan.org/projects/strongswan/wiki/EAPRADIUS.
- Status changed from Feedback to Closed
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov 
Updated by 
Updated by Anonymous 
Updated by