• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to set multiple IP pools for RADIUS selection?

Scheduled Pinned Locked Moved IPsec
4 Posts 2 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    Morlock
    last edited by Feb 19, 2019, 7:20 PM

    Hi,

    I try to assign IPs from different subnets/IP ranges to VPN users depending on their RADIUS login in order to apply different firewall rules to them. The RADIUS is Windows NPS role which does not support server-side pooling.

    Using the AD user attribute 'static IP' (Framed-IP-Address) works well, but it would be difficult to manage all the individual IPs in firewall aliases. This is some sort of a backup solution.

    The weapon of choice for this scenario would be the Framed-Pool attribute. However, I can't figure out where to set the IP pools and their names on the pfSense. The StrongSwan documentation suggests that this could be set in the swanctl.conf. From tinkering with the config files on the pfSense, my impression is that pfSense uses ipsec.conf instead of the newer swanctl.conf, is this correct?

    Is there a different way to set multiple IP pools which can be selected via Framed-Pool?

    Thanks!

    • Abbys
    D 1 Reply Last reply Apr 18, 2019, 9:47 PM Reply Quote 0
    • M
      Morlock
      last edited by Mar 12, 2019, 7:13 PM

      Solved - turned out that the framed-pool attribute is simply not processed by StrongSwan. You have to go with framedIP.

      1 Reply Last reply Reply Quote 0
      • D
        Daz22 @Morlock
        last edited by Apr 18, 2019, 9:47 PM

        @Abbys I'm trying to do something similar can you share how you were able to configure this?

        M 1 Reply Last reply Apr 19, 2019, 8:14 AM Reply Quote 0
        • M
          Morlock @Daz22
          last edited by Apr 19, 2019, 8:14 AM

          @Daz22 It is not possible the way it was intended (the conventional way: create AD groups for different network access rights, create a NPS policy for each group with different pools for which different firewall rules are set and pass the pools via Framed-Pool to the VPN server). You can see from the StrongSwan docs that Framed-Pool is not supported: https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
          I haven't finished this yet due to other projects but will use Framed-IP-Address. The difference in management is that you don’t put users into AD groups but manage their access based on their personal IP directly on the firewall.
          Hence, the user management will get a bit cumbersome, obviously, but we really need the access differentiation.
          So far, I have created a PowerShell script that sets a unique IP address from our client VPN range for all the relevant AD users (not that easy, because users come and go, the script should overwrite manual settings but not settings from its previous runs; if i remember correctly, I implemented this based on AD timestamps). It should also create a CSV for the admins to keep track of the user IPs in the future. Next, I will create the “groups” as aliases on the firewall and create firewall rules for the aliases. For access management, you would put a user IP into an alias or remove it.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received