Hi,
with the RADIUS module authentication and accounting can be achieved easily against every backend RADIUS can talk to. Policying is possible with RADIUS. So everything works nicely. I want to deal with authorization in a strongswan / RADIUS setup. As far as I understood the docu, the RADIUS server can pass group membership attribute in the Class attribute. Strongswan can use this information in its rightgroup option in ipsec.conf. A con section fits, if at least one group is returned by the RADIUS server. This works nicely in scenarios where I have disjunct access rights for user groups. i.e. accouting can access other internal servers as user in the engineering group and a user is never in both groups. Is it possible to setup (or implement) a setup where every group has different access rights? This could be acchived by filter-lists based in group membership that swan would use as leftsubnet. Or strongswan could call a updown script and passes on the group membership. That script would setup the firewall correctly. An other thoughts? Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
signature.asc
Description: OpenPGP digital signature
