Project

General

Profile

Actions

Feature #13227

open

Enable IPSec Virtual IP Pool assignment by Radius for Mobile Users - SIMPLE FIX

Added by Tue Madsen about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
High
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

Currently you cannot create additional Virtual IP Pools to assign mobile users IP addresses from, if you are using EAP-Radius as the authentication source.
This prohibits using different firewall rules for different groups of users.
Everyone is treated the same, unless you specifically assign a static IP to a specific user from Radius via framed-ip-address - which is NOT scalable.

But all the logic is enabled in strongswan, and the GUI settings to swanctl.conf scripts already has enabled the groups features in strongswan, so it will accept the "Class" attribute from Radius as a groups identifier.

There just needs to be a way to create a groups identifier in the GUI with an attached IP Pool that is written correctly to the config files.

By hacking /etc/inc/ipsec.inc I have enabled this by asking the "preshared secrets" GUI part to write an EAP Shared secret as a "groups" in the remote section instead of an "id".
All I did is the following edit in /etc/inc/ipsec.inc":
Locate the major section called: "/***f ipsec/ipsec_setup_userpools" about halfway into the file.
Locate the line: "$scconf['connections'][$upconn]['remote']['id'] = $clientid;"
Change it to "$scconf['connections'][$upconn]['remote']['groups'] = $clientid;"

Once that is done, if you enable "group authentication" on your mobile clients settings, groups identifiers returned with the "Class" attribute is respected, and the user is assigned an IP from the custom pool. Default users are still assigned IPs from the default mobile warrior pool if the Radius return the group(s) name selected in the mobile clients setup.

A very quick fix to this issue would be to add a new "Groups" tab in IPsec where you can add a group identifier and the IP Pool to use for that group. It can use most of the same script parts from "/***f ipsec/ipsec_setup_userpools" in ipsec.inc - it just needs to create the line in the remote part of swanctl.conf with 'groups' instead of 'id'.

Actions #1

Updated by Tue Madsen about 1 month ago

I Should mention you can use my modifcation afterwards by creating the groups identifier and IP pool needed, by creating a "EAP Shared Secret" with an IP Pool.

If you return your created identifier with the "Class" attribute from Radius, the user is assigned an IP from your new custom pool.

You can read the more elaborate explanation on my modification here: https://forum.netgate.com/topic/172476/a-guide-to-assign-vpn-group-and-user-ip-pool-from-radius-in-22-01-2-6

Actions

Also available in: Atom PDF