1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
charon.plugins.eap-radius.accounting = no
Send RADIUS accounting information to RADIUS servers.
charon.plugins.eap-radius.accounting_close_on_timeout = yes
Close the IKE_SA if there is a timeout during interim RADIUS accounting
updates.
charon.plugins.eap-radius.accounting_interval = 0
Interval in seconds for interim RADIUS accounting updates, if not specified
by the RADIUS server in the Access-Accept message.
charon.plugins.eap-radius.accounting_requires_vip = no
If enabled, accounting is disabled unless an IKE_SA has at least one
virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
charon.plugins.eap-radius.accounting_send_class = no
If enabled, adds the Class attributes received in Access-Accept message to
the RADIUS accounting messages.
charon.plugins.eap-radius.class_group = no
Use class attributes in Access-Accept messages as group membership
information.
Use the _class_ attribute sent in the RADIUS-Accept message as group
membership information that is compared to the groups specified in the
**rightgroups** option in **ipsec.conf**(5).
charon.plugins.eap-radius.close_all_on_timeout = no
Closes all IKE_SAs if communication with the RADIUS server times out. If it
is not set only the current IKE_SA is closed.
charon.plugins.eap-radius.dae.enable = no
Enables support for the Dynamic Authorization Extension (RFC 5176).
charon.plugins.eap-radius.dae.listen = 0.0.0.0
Address to listen for DAE messages from the RADIUS server.
charon.plugins.eap-radius.dae.port = 3799
Port to listen for DAE requests.
charon.plugins.eap-radius.dae.secret
Shared secret used to verify/sign DAE messages. If set, make sure to adjust
the permissions of the config file accordingly.
charon.plugins.eap-radius.eap_start = no
Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
charon.plugins.eap-radius.filter_id = no
Use filter_id attribute as group membership information.
If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use
the _filter_id_ attribute sent in the RADIUS-Accept message as group
membership information that is compared to the groups specified in the
**rightgroups** option in **ipsec.conf**(5).
charon.plugins.eap-radius.forward.ike_to_radius
RADIUS attributes to be forwarded from IKEv2 to RADIUS.
RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
name or attribute number, a colon can be used to specify vendor-specific
attributes, e.g. Reply-Message, or 11, or 36906:12).
charon.plugins.eap-radius.forward.radius_to_ike =
Same as ike_to_radius but from RADIUS to IKEv2.
Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to
IKEv2, a strongSwan specific private notify (40969) is used to transmit the
attributes.
charon.plugins.eap-radius.id_prefix
Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
EAP method.
charon.plugins.eap-radius.nas_identifier = strongSwan
NAS-Identifier to include in RADIUS messages.
charon.plugins.eap-radius.port = 1812
Port of RADIUS server (authentication).
charon.plugins.eap-radius.secret =
Shared secret between RADIUS and NAS. If set, make sure to adjust the
permissions of the config file accordingly.
charon.plugins.eap-radius.server =
IP/Hostname of RADIUS server.
charon.plugins.eap-radius.retransmit_base = 1.4
Base to use for calculating exponential back off.
charon.plugins.eap-radius.retransmit_timeout = 2.0
Timeout in seconds before sending first retransmit.
charon.plugins.eap-radius.retransmit_tries = 4
Number of times to retransmit a packet before giving up.
charon.plugins.eap-radius.servers {}
Section to specify multiple RADIUS servers.
Section to specify multiple RADIUS servers. The **nas_identifier**,
**secret**, **sockets** and **port** (or **auth_port**) options can be
specified for each server. A server's IP/Hostname can be configured using
the **address** option. The **acct_port** [1813] option can be used to
specify the port used for RADIUS accounting. For each RADIUS server a
priority can be specified using the **preference** [0] option. The
retransmission time for each server can set set using **retransmit_base**,
**retransmit_timeout** and **retransmit_tries**.
charon.plugins.eap-radius.sockets = 1
Number of sockets (ports) to use, increase for high load.
charon.plugins.eap-radius.xauth {}
Section to configure multiple XAuth authentication rounds via RADIUS.
Section to configure multiple XAuth authentication rounds via RADIUS.
The subsections define so called authentication profiles with arbitrary
names. In each profile section one or more XAuth types can be configured,
with an assigned message. For each type a separate XAuth exchange will be
initiated and all replies get concatenated into the User-Password attribute,
which then gets verified over RADIUS.
Available XAuth types are **password**, **passcode**, **nextpin**, and
**answer**. This type is not relevant to strongSwan or the AAA server, but
the client may show a different dialog (along with the configured message).
To use the configured profiles, they have to be configured in the respective
connection in **ipsec.conf**(5) by appending the profile name, separated by
a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_
or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_.
|
