Regression #11447
closed
EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration attributes
100%
Description
When using IKEv2 EAP-RADIUS mobile IPsec and assigning client addresses from RADIUS, the pools configuration is omitted from swanctl.conf.
The pools and mobile-pool blocks are omitted since there are no addresses known for clients. The RADIUS config is in strongswan.conf
May still need to still define the pools without addresses (if possible) or find other compatible syntax.
Related issues
Updated by Jim Pingle almost 4 years ago
- Assignee set to Jim Pingle
As a workaround, define a pool network. Clients will still pull their assigned addresses from RADIUS and the other settings will be populated in the configuration and make it to clients.
Updated by Viktor Gurov almost 4 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to Waiting on Merge
- Target version changed from CE-Next to 2.5.1
Updated by Renato Botelho over 3 years ago
- Status changed from Waiting on Merge to Feedback
Cherry-picked to RELENG_2_5_1
Updated by Jim Pingle over 3 years ago
To test:
- Setup mobile IPsec using IKEv2 and EAP-RADIUS against a RADIUS server
- Leave the Virtual Address Pool empty so that clients pull addresses from RADIUS
- Fill in DNS server information
- Check the generated swanctl.conf for the configured DNS servers and they will be missing
On a snapshot with the fix, the swanctl.conf file will contain the necessary pool configuration data.
Updated by Viktor Gurov over 3 years ago
Jim Pingle wrote:
To test:
- Setup mobile IPsec using IKEv2 and EAP-RADIUS against a RADIUS server
- Leave the Virtual Address Pool empty so that clients pull addresses from RADIUS
- Fill in DNS server information
- Check the generated swanctl.conf for the configured DNS servers and they will be missing
On a snapshot with the fix, the swanctl.conf file will contain the necessary pool configuration data.
Still not working as expected.
It looks like we need to use strongswan.conf for this (pre-2.5 style).
Updated by Jim Pingle over 3 years ago
- Target version changed from 2.5.1 to CE-Next
If it needs that kind of more involved work then we can look at it deeper for the next release after this.
Updated by Jim Pingle over 3 years ago
- Target version changed from CE-Next to 2.6.0
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to New
- Plus Target Version changed from 21.05 to 21.09
Reverted changes for now, they were causing the configuration to fail. Can try again before the next release.
Updated by Viktor Gurov over 3 years ago
revert to pre-2.5 style (attr in strongswan.conf) which works fine:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/314
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
Updated by Jim Pingle over 3 years ago
- Related to Bug #11891: strongSwan configuration contains incorrect structure for mobile pool DNS records added
Updated by Anonymous over 3 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 3a0f6f3609dcb50e3ba927a743fb9f1990a48181.
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Updated by Pedro Ribeiro about 3 years ago
I recently hit this bug where IKEv2 EAP-RADIUS clients were not getting their DNS server.
Apologies for the comment, but in case it helps anyone, a helpful workaround is to pass parameters from FreeRADIUS for the affected users, eg. for DNS server in Additional RADIUS Attributes (REPLY-ITEM) insert MS-Primary-DNS-Server = x.x.x.x. This matches well with the docs at https://wiki.strongswan.org/projects/strongswan/wiki/EAPRADIUS.
Updated by Jim Pingle almost 3 years ago
- Status changed from Feedback to Closed