We want to setup StrongSwan VPN with FreeRadius for authentication. In addition to that we want to assign different subnets to users based on AD-Groups. StrongSwan uses the class attribute in a access-accept reply for that (https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius).
To my knowledge it is possible to use custom attributes in FreeRadius to store data used during the reply/proxy/control… process and send that back to StrongSwan.
Unfortunately this is not working in our FreeRadius environment and the custom attribute stays empty. It is however possible to access attributes already existing in the reply list.
This configuration for example sends back an empty Variable Reply-Message.
/etc/raddb/dictionary:
ATTRIBUTE test 3000 string
/etc/raddb/users
DEFAULT test = “TESTTEST”
/etc/raddb/sites-enabled/default
…
post-auth {
…
update reply {
Reply-Message := "%{control:test}"
}
…
}
Log-Output:
(11) [exec] = noop
(11) policy remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message) {
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else {
(11) [noop] = noop
(11) } # else = noop
(11) } # policy remove_reply_message_if_eap = noop
(11) update reply {
(11) EXPAND %{control:test}
(11) -->
(11) Reply-Message :=
(11) } # update reply = noop
(11) } # post-auth = noop
(11) Sent Access-Accept Id 5 from 127.0.0.1:1812 to 127.0.0.1:50913 length 0
(11) MS-MPPE-Recv-Key = 0xd23e4723df9ff904741b91827518aaa48dcbca27204024965d37fdb6bece0270
(11) MS-MPPE-Send-Key = 0x4e7de0fc944a5114ab435df43fa943901870741a86571e3ccddef11b82e406e1
(11) EAP-Message = 0x03050004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) User-Name = "raduser"
(11) Reply-Message := ""
(11) Finished request
FreeRADIUS Version 3.0.19
According to this guides, the configuration above should work:
- returning custom user attributes in the radius reply
- https://serverfault.com/questions/939980/freeradius-return-user-groups-in-class-field
Is there anything we’re missing? Thanks in advance.
