diff options
author | Tobias Brunner <tobias@strongswan.org> | 2015-06-02 14:48:31 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2015-08-06 14:57:26 +0200 |
commit | 186d25cbe68e2ca8ea1e5d17017d627c4adf4101 (patch) | |
tree | f916d1a0cbf43245318a32a78d9854cbcc864abb /conf | |
parent | 626b2e85f05a7cd07a9602b3264cb8f0761bb2bf (diff) | |
download | strongswan-186d25cbe68e2ca8ea1e5d17017d627c4adf4101.tar.bz2 strongswan-186d25cbe68e2ca8ea1e5d17017d627c4adf4101.tar.xz |
eap-radius: Change trigger for Accounting Start messages for IKEv1
Some clients won't do Mode Config or XAuth during reauthentication.
Because Start messages previously were triggered by TRANSACTION exchanges
none were sent for new SAs of such clients, while Stop messages were still
sent for the old SAs when they were destroyed. This resulted in an
incorrect state on the RADIUS server.
Since 31be582399 the assign_vips() event is also triggered during
reauthentication if the client does not do a Mode Config exchange.
So instead of waiting for a TRANSACTION exchange we trigger the Start
message when a virtual IP is assigned to a client.
With this the charon.plugins.eap-radius.accounting_requires_vip option
would not have any effect for IKEv1 anymore. However, it previously also
only worked if the client did an XAuth exchange, which is probably
rarely used without virtual IPs, so this might not be much of a
regression.
Fixes #937.
Diffstat (limited to 'conf')
-rw-r--r-- | conf/plugins/eap-radius.opt | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt index 2a6786dd9..7d511155b 100644 --- a/conf/plugins/eap-radius.opt +++ b/conf/plugins/eap-radius.opt @@ -11,7 +11,7 @@ charon.plugins.eap-radius.accounting_interval = 0 charon.plugins.eap-radius.accounting_requires_vip = no If enabled, accounting is disabled unless an IKE_SA has at least one - virtual IP. + virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. charon.plugins.eap-radius.class_group = no Use class attributes in Access-Accept messages as group membership |