On Dec 12, 2015, at 5:21 PM, François Lacombe <fl.infosreseaux@gmail.com> wrote:
My roadwarrior users always use the same public IP address to reach it but can ask for different ids during the IKEv2 process (strongswan's ipsec.conf left|rightid parameters) To each id correspond a tunnel IP configuration and thus give access to different LAN depending of the L3 routing/firewall.
OK.
The current question, and this is where freeradius+ldap are useful, is to know if each user is allowed to access to a given network area. Strongswan informs the radius of which connection configuration the user is asking for in the NAS-Port-Id.
That's good to know. It would have been helpful to say that at the start. Otherwise it's hard to tell what you're really doing.
In my situation, all users are roadwarriors, may use any public IP they can depending of their location and it can't be part of any stable conf.
Those people do not send RADIUS packets. The OpenSWAN system sends RADIUS packets. Therefore, the NAS-IP-Address *should* always be the IP of the OpenSWAN system.
Is this the same with NAS-Port Id? Should I take care of that ?
Define what you mean "take care of that" ?
To conform to the RFC2865 guidelines.
I still have no idea what that means. Perhaps you could explain in detail. Alan DeKok.