1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
charon.plugins.eap-radius.accounting = no
Send RADIUS accounting information to RADIUS servers.
charon.plugins.eap-radius.accounting_close_on_timeout = yes
Close the IKE_SA if there is a timeout during interim RADIUS accounting
updates.
charon.plugins.eap-radius.accounting_requires_vip = no
If enabled, accounting is disabled unless an IKE_SA has at least one
virtual IP.
charon.plugins.eap-radius.class_group = no
Use class attributes in RADIUS-Accept messages as group membership
information.
Use the _class_ attribute sent in the RADIUS-Accept message as group
membership information that is compared to the groups specified in the
**rightgroups** option in **ipsec.conf**(5).
charon.plugins.eap-radius.close_all_on_timeout = no
Closes all IKE_SAs if communication with the RADIUS server times out. If it
is not set only the current IKE_SA is closed.
charon.plugins.eap-radius.dae.enable = no
Enables support for the Dynamic Authorization Extension (RFC 5176).
charon.plugins.eap-radius.dae.listen = 0.0.0.0
Address to listen for DAE messages from the RADIUS server.
charon.plugins.eap-radius.dae.port = 3799
Port to listen for DAE requests.
charon.plugins.eap-radius.dae.secret
Shared secret used to verify/sign DAE messages. If set, make sure to adjust
the permissions of the config file accordingly.
charon.plugins.eap-radius.eap_start = no
Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
charon.plugins.eap-radius.filter_id = no
Use filter_id attribute as group membership information.
If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use
the _filter_id_ attribute sent in the RADIUS-Accept message as group
membership information that is compared to the groups specified in the
**rightgroups** option in **ipsec.conf**(5).
charon.plugins.eap-radius.forward.ike_to_radius
RADIUS attributes to be forwarded from IKEv2 to RADIUS.
RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
name or attribute number, a colon can be used to specify vendor-specific
attributes, e.g. Reply-Message, or 11, or 36906:12).
charon.plugins.eap-radius.forward.radius_to_ike =
Same as ike_to_radius but from RADIUS to IKEv2.
Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to
IKEv2, a strongSwan specific private notify (40969) is used to transmit the
attributes.
charon.plugins.eap-radius.id_prefix
Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
EAP method.
charon.plugins.eap-radius.nas_identifier = strongSwan
NAS-Identifier to include in RADIUS messages.
charon.plugins.eap-radius.port = 1812
Port of RADIUS server (authentication).
charon.plugins.eap-radius.secret =
Shared secret between RADIUS and NAS. If set, make sure to adjust the
permissions of the config file accordingly.
charon.plugins.eap-radius.server =
IP/Hostname of RADIUS server.
charon.plugins.eap-radius.servers {}
Section to specify multiple RADIUS servers.
Section to specify multiple RADIUS servers. The **nas_identifier**,
**secret**, **sockets** and **port** (or **auth_port**) options can be
specified for each server. A server's IP/Hostname can be configured using
the **address** option. The **acct_port** [1813] option can be used to
specify the port used for RADIUS accounting. For each RADIUS server a
priority can be specified using the **preference** [0] option.
charon.plugins.eap-radius.sockets = 1
Number of sockets (ports) to use, increase for high load.
charon.plugins.eap-radius.xauth {}
Section to configure multiple XAuth authentication rounds via RADIUS.
Section to configure multiple XAuth authentication rounds via RADIUS.
The subsections define so called authentication profiles with arbitrary
names. In each profile section one or more XAuth types can be configured,
with an assigned message. For each type a separate XAuth exchange will be
initiated and all replies get concatenated into the User-Password attribute,
which then gets verified over RADIUS.
Available XAuth types are **password**, **passcode**, **nextpin**, and
**answer**. This type is not relevant to strongSwan or the AAA server, but
the client may show a different dialog (along with the configured message).
To use the configured profiles, they have to be configured in the respective
connection in **ipsec.conf**(5) by appending the profile name, separated by
a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_
or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_.
|