skids · November 5, 2016 18:48
diff --git a/gistfile1.txt b/gistfile1.txt

 connections {

    swan {
        pools = students
        remote {
            id = %any
            auth = eap-radius
        }
        include swanctl_swan.conf
    }

    swan-itsadmin {
        pools = itsadmin
        remote {
            id = %any
            auth = eap-radius
            groups = swan-itsadmin
        }
        include swanctl_swan.conf
    }
 }

 ...this ends up in connection "swan"...
 09[CFG]   candidate "swan", match: 20/1/1052 (me/other/ike)
 09[CFG] peer config match local: 20 (ID_FQDN -> XXY)
 09[CFG] peer config match remote: 1 (ID_RFC822_ADDR -> YYY)
 09[CFG] ike config match: 1052 (XXX.XXX.255.64 YYY.YYY.YYY.YYY IKEv2)
 09[CFG]   candidate "swan-itsadmin", match: 20/1/1052 (me/other/ike)
 09[CFG] selected peer config 'swan'
 09[CFG] RADIUS server 'localvpn' is candidate: 210
 09[CFG] sending RADIUS Access-Request to server 'localvpn'
 ...
 05[IKE] received RADIUS attribute Filter-Id: 'swan-itsadmin'
 05[IKE] RADIUS authentication of 'XXX.XXX.XXX' successful
 05[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
 05[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]

 connections {

    swan {
        pools = students
        remote {
            id = %any
            auth = eap-radius
            group = kickout
        }
        include swanctl_swan.conf
    }

    swan-itsadmin {
        pools = itsadmin
        remote {
            id = %any
            auth = eap-radius
            groups = swan-itsadmin
        }
        include swanctl_swan.conf
    }
 }

 15[IKE] received RADIUS attribute Filter-Id: 'swan-itsadmin'
 15[IKE] RADIUS authentication of '[email protected]' successful
 15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
 15[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
 15[NET] sending packet: from XXX.XXX.255.64[4500] to YYY.YYY.YYY.YYY[4500] (80 bytes)
 09[NET] received packet: from YYY.YYY.YYY.YYY[4500] to XXX.XXX.255.64[4500] (112 bytes)
 09[ENC] parsed IKE_AUTH request 4 [ AUTH ]
 09[IKE] authentication of '[email protected]' with EAP successful
 09[CFG] constraint check failed: group membership to 'swan-itsadmin' required
 09[CFG] selected peer config 'swan-itsadmin' inacceptable: non-matching authentication done

 I know this file is being read, as it is using the nas_identifier from it:

 /etc/strongswan/strongswan.d/charon/eap-radius.conf:
 eap-radius {
    load = yes
    accounting = yes
    accounting_close_on_timeout = yes
    accounting_interval = 600
    accounting_requires_vip = yes
    close_all_on_timeout = no
    # Use filter_id attribute as group membership information.
    filter_id = yes
    # NAS-Identifier to include in RADIUS messages.
    nas_identifier = VPNB
    sockets = 32
 }
    
 ...plus a server { }

	connections {

	swan {
	pools = students
	remote {
	id = %any
	auth = eap-radius
	}
	include swanctl_swan.conf
	}

	swan-itsadmin {
	pools = itsadmin
	remote {
	id = %any
	auth = eap-radius
	groups = swan-itsadmin
	}
	include swanctl_swan.conf
	}
	}

	...this ends up in connection "swan"...
	09[CFG] candidate "swan", match: 20/1/1052 (me/other/ike)
	09[CFG] peer config match local: 20 (ID_FQDN -> XXY)
	09[CFG] peer config match remote: 1 (ID_RFC822_ADDR -> YYY)
	09[CFG] ike config match: 1052 (XXX.XXX.255.64 YYY.YYY.YYY.YYY IKEv2)
	09[CFG] candidate "swan-itsadmin", match: 20/1/1052 (me/other/ike)
	09[CFG] selected peer config 'swan'
	09[CFG] RADIUS server 'localvpn' is candidate: 210
	09[CFG] sending RADIUS Access-Request to server 'localvpn'
	...
	05[IKE] received RADIUS attribute Filter-Id: 'swan-itsadmin'
	05[IKE] RADIUS authentication of 'XXX.XXX.XXX' successful
	05[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
	05[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]

	connections {

	swan {
	pools = students
	remote {
	id = %any
	auth = eap-radius
	group = kickout
	}
	include swanctl_swan.conf
	}

	swan-itsadmin {
	pools = itsadmin
	remote {
	id = %any
	auth = eap-radius
	groups = swan-itsadmin
	}
	include swanctl_swan.conf
	}
	}

	15[IKE] received RADIUS attribute Filter-Id: 'swan-itsadmin'
	15[IKE] RADIUS authentication of '[email protected]' successful
	15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
	15[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
	15[NET] sending packet: from XXX.XXX.255.64[4500] to YYY.YYY.YYY.YYY[4500] (80 bytes)
	09[NET] received packet: from YYY.YYY.YYY.YYY[4500] to XXX.XXX.255.64[4500] (112 bytes)
	09[ENC] parsed IKE_AUTH request 4 [ AUTH ]
	09[IKE] authentication of '[email protected]' with EAP successful
	09[CFG] constraint check failed: group membership to 'swan-itsadmin' required
	09[CFG] selected peer config 'swan-itsadmin' inacceptable: non-matching authentication done

	I know this file is being read, as it is using the nas_identifier from it:

	/etc/strongswan/strongswan.d/charon/eap-radius.conf:
	eap-radius {
	load = yes
	accounting = yes
	accounting_close_on_timeout = yes
	accounting_interval = 600
	accounting_requires_vip = yes
	close_all_on_timeout = no
	# Use filter_id attribute as group membership information.
	filter_id = yes
	# NAS-Identifier to include in RADIUS messages.
	nas_identifier = VPNB
	sockets = 32
	}

	...plus a server { }