如何使用 freeradius mysql 配置 strongswan EAP-radius 的组属性

tag-icon tag-icon strongswan freeradius
如何使用 freeradius mysql 配置 strongswan EAP-radius 的组属性

因此,我试图弄清楚如何使用 SQL(加上 daloradius)将 Strongswan 中的组的使用与 Freeradius 联系起来

目前 Strongswan 和 Freeradius 之间的身份验证运行良好。但是,我希望有组来分离不同的连接。但是我不知道如何映射组。基本上,我已经创建了 General 和 EPD

这是 ipsec.conf

conn %default
       compress = yes
       dpdaction = clear
       dpddelay = 30s
       inactivity = 300s
       leftdns = 1.1.1.1,1.0.0.1
       rightdns = 1.1.1.1,1.0.0.1
       esp = aes256-sha256,aes256-sha1,3des-sha1!
       ike = aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp2048,aes256-sha256-modp$
       keyexchange = ikev2
       keyingtries = 1

conn IKEv2-BASE
       leftca = "C=HK, O=Test, CN=Test CA"
       leftsendcert = always
       rightsendcert = never
       leftcert = server.cert.pem
       left = %any
       right = %any
       leftauth = pubkey
       rightauth = eap-radius
       leftfirewall = yes
       leftsubnet = 0.0.0.0/0
       fragmentation = yes
       eap_identity = %any
       rekey = no

conn test1
       also = IKEv2-BASE
       leftid = ip1
       rightsourceip = 10.1.0.0/16
       rightgroups = "General"
       auto = add

conn test2
       also = IKEv2-BASE
       leftid = ip1
       rightsourceip = 10.2.0.0/16
       rightgroups = "EPD"
       auto = add

在数据库中,我可以看到我的用户已经添加到组中。这是显示的错误消息

Oct 5 06:30:38 vm_strongswanikev2 charon: 14[CFG] no alternative config found
Oct 5 06:30:38 vm_strongswanikev2 charon: 14[CFG] selected peer config 'EPD' unacceptable: non-matching authentication done
Oct 5 06:30:38 vm_strongswanikev2 charon: 14[CFG] constraint check failed: group membership to 'EPD' required
Oct 5 06:30:38 vm_strongswanikev2 charon: 14[CFG] switching to peer config 'EPD'
Oct 5 06:30:38 vm_strongswanikev2 charon: 14[CFG] selected peer config 'General' unacceptable: non-matching authentication done
Oct 5 06:30:38 vm_strongswanikev2 charon: 14[CFG] constraint check failed: group membership to 'General' required```

Looking at the log it seems it cannot read the group attribute from the database, what else do I need to turn on / map at the file? it seems even right now I run radtest, it will not show me any group attributes

Thank you so much for your help first

答案1

您好,如果您的用户有群组。我认为您只需要在 /etc/strongswan.conf 中启用类(Radius DB 中的群组)即可

    charon {
     ....
      plugins {
        include strongswan.d/charon/*.conf
        eap-radius {
          class_group = yes
....

即查看参数class_group = 是

查看更多细节https://www.strongswan.org/testing/testresults/ikev2/rw-eap-md5-class-radius/

相关内容