strongSwan as a Policy Enforcement Point¶
Configuration as a TNCCS 1.1 VPN Policy Enforcement Point with EAP-RADIUS Interface¶
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl --enable-eap-radius
/etc/strongswan.conf - strongSwan configuration file
charon { plugins { eap-radius { secret = gv6URkSs server = 10.1.0.10 filter_id = yes } } }
/etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
/etc/ipsec.conf - strongSwan IPsec configuration file
conn rw-allow rightgroups=allow leftsubnet=10.1.0.0/28 also=rw-eap auto=add conn rw-isolate rightgroups=isolate leftsubnet=10.1.0.16/28 also=rw-eap auto=add conn rw-eap leftcert=moonCert.pem leftid=@moon.strongswan.org leftauth=pubkey rightauth=eap-radius rightid=*@strongswan.org rightsendcert=never right=%any
Configuration of a FreeRADIUS Server with TNC@FHH plugin¶
First build a TNC@FHH Server based on FreeRADIUS with two inner authentication methods according to the following HOWTO.
In order to interoperate with a strongSwan VPN Policy Enforcement Point the following FreeRADIUS configuration files are needed:
/etc/raddb/clients.conf
client 10.1.0.1 { secret = gv6URkSs shortname = moon }
/etc/raddb/eap.conf
eap { md5 { } default_eap_type = ttls tls { private_key_file = /etc/raddb/certs/aaaKey.pem certificate_file = /etc/raddb/certs/aaaCert.pem CA_file = /etc/raddb/certs/strongswanCert.pem cipher_list = "DEFAULT" dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random } ttls { default_eap_type = md5 use_tunneled_reply = yes virtual_server = "inner-tunnel" tnc_virtual_server = "inner-tunnel-second" } } eap eap_tnc { default_eap_type = tnc tnc { } }
/etc/raddb/proxy.conf
realm strongswan.org { type = radius authhost = LOCAL accthost = LOCAL }
/etc/raddb/users
carol Cleartext-Password := "Ar3etTnp" dave Cleartext-Password := "W7R0g3do"
/etc/raddb/sites-available/default
authorize { suffix eap { ok = return } files } authenticate { eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap }
/etc/raddb/sites-available/inner-tunnel
server inner-tunnel { authorize { suffix eap { ok = return } files } authenticate { eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } } # inner-tunnel server block
/etc/raddb/sites-available/inner-tunnel-second
server inner-tunnel-second { authorize { eap_tnc { ok = return } } authenticate { eap_tnc } session { radutmp } post-auth { if (control:TNC-Status == "Access") { update reply { Tunnel-Type := ESP Filter-Id := "allow" } } elsif (control:TNC-Status == "Isolate") { update reply { Tunnel-Type := ESP Filter-Id := "isolate" } } Post-Auth-Type REJECT { attr_filter.access_reject } } } # inner-tunnel-second block
/etc/raddb/dictionary
$INCLUDE /usr/share/freeradius/dictionary $INCLUDE /etc/raddb/dictionary.tnc
/etc/raddb/dictionary.tnc
ATTRIBUTE TNC-Status 3001 integer VALUE TNC-Status Access 0 VALUE TNC-Status Isolate 1 VALUE TNC-Status None 2