@gelcom:
Thanks. It worked perfectly!
The only point is that there is no place in pfSense where I can see which freeRADIUS users are logged in the VPN.
This is not clear to me. What's the difference with this additional NAS-Identifier==strongSwan
Yes the only issues is the not being able to see who's logged in via Status -> IPSec -> Leases, the only way is looking in the logs.
RE NAS-Identifier==strongSwan I also use freeradius for WPA Enterprise Auth, if you add NAS-Identifier==strongSwan to the check items it basically says this user can only connect if the NAS-Identifier is strongSwan.
You can use radsniff -x from the cli to see whats going on, the capture in green is when I connect to the wi-fi, the blue via vpn.
2017-12-28 13:47:46.598198 (25) Accounting-Request Id 90 igb0:172.16.1.11:37599 -> 172.16.1.1:1813 +5.827
User-Name = "andy"
NAS-IP-Address = 172.16.1.11
NAS-Port = 0
Framed-IP-Address = 172.16.2.41
Called-Station-Id = "A2-2A-A8-98-9D-8C:L-Space Radius"
Calling-Station-Id = "D0-4F-7E-85-D9-BE"
NAS-Identifier = "802aa8969d8c"
NAS-Port-Type = Wireless-802.11
Acct-Status-Type = Start
Acct-Session-Id = "5A44C1A4-0000000F"
Acct-Authentic = RADIUS
Connect-Info = "CONNECT 0Mbps 802.11b"
Authenticator-Field = xxxxxxxxxxxxxxxxxxxx
2017-12-28 13:50:02.817587 (7) Access-Request Id 222 lo0:127.0.0.1:26931 -> 127.0.0.1:1812 +0.014
User-Name = "andy-ipad"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 47
Service-Type = Framed-User
State = 0x3011d33a3212c931f791fe04904119c2
Called-Station-Id = "xx.xx.xx.xx[4500]"
Calling-Station-Id = "172.16.2.41[4500]"
NAS-Identifier = "strongSwan"
NAS-Port-Type = Virtual
EAP-Message = 0x020300061a03
Message-Authenticator = 0xa5eed6c6557dcb0727c1fc852dd6873f
NAS-Port-Id = "con1"
Authenticator-Field = xxxxxxxxxxxxxxxxxxxx