strongSwan as a Policy Enforcement Point¶
Configuration as a TNCCS 1.1 VPN Policy Enforcement Point with EAP-RADIUS Interface¶
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
--enable-eap-radius
/etc/strongswan.conf - strongSwan configuration file
charon {
plugins {
eap-radius {
secret = gv6URkSs
server = 10.1.0.10
filter_id = yes
}
}
}
/etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
/etc/ipsec.conf - strongSwan IPsec configuration file
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=pubkey
rightauth=eap-radius
rightid=*@strongswan.org
rightsendcert=never
right=%any
Configuration of a FreeRADIUS Server with TNC@FHH plugin¶
First build a TNC@FHH Server based on FreeRADIUS with two inner authentication methods according to the following HOWTO.
In order to interoperate with a strongSwan VPN Policy Enforcement Point the following FreeRADIUS configuration files are needed:
/etc/raddb/clients.conf
client 10.1.0.1 {
secret = gv6URkSs
shortname = moon
}
/etc/raddb/eap.conf
eap {
md5 {
}
default_eap_type = ttls
tls {
private_key_file = /etc/raddb/certs/aaaKey.pem
certificate_file = /etc/raddb/certs/aaaCert.pem
CA_file = /etc/raddb/certs/strongswanCert.pem
cipher_list = "DEFAULT"
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
}
ttls {
default_eap_type = md5
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
tnc_virtual_server = "inner-tunnel-second"
}
}
eap eap_tnc {
default_eap_type = tnc
tnc {
}
}
/etc/raddb/proxy.conf
realm strongswan.org {
type = radius
authhost = LOCAL
accthost = LOCAL
}
/etc/raddb/users
carol Cleartext-Password := "Ar3etTnp" dave Cleartext-Password := "W7R0g3do"
/etc/raddb/sites-available/default
authorize {
suffix
eap {
ok = return
}
files
}
authenticate {
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
/etc/raddb/sites-available/inner-tunnel
server inner-tunnel {
authorize {
suffix
eap {
ok = return
}
files
}
authenticate {
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
/etc/raddb/sites-available/inner-tunnel-second
server inner-tunnel-second {
authorize {
eap_tnc {
ok = return
}
}
authenticate {
eap_tnc
}
session {
radutmp
}
post-auth {
if (control:TNC-Status == "Access") {
update reply {
Tunnel-Type := ESP
Filter-Id := "allow"
}
}
elsif (control:TNC-Status == "Isolate") {
update reply {
Tunnel-Type := ESP
Filter-Id := "isolate"
}
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
} # inner-tunnel-second block
/etc/raddb/dictionary
$INCLUDE /usr/share/freeradius/dictionary $INCLUDE /etc/raddb/dictionary.tnc
/etc/raddb/dictionary.tnc
ATTRIBUTE TNC-Status 3001 integer VALUE TNC-Status Access 0 VALUE TNC-Status Isolate 1 VALUE TNC-Status None 2