How to set multiple IP pools for RADIUS selection?

  • Hi,

    I try to assign IPs from different subnets/IP ranges to VPN users depending on their RADIUS login in order to apply different firewall rules to them. The RADIUS is Windows NPS role which does not support server-side pooling.

    Using the AD user attribute 'static IP' (Framed-IP-Address) works well, but it would be difficult to manage all the individual IPs in firewall aliases. This is some sort of a backup solution.

    The weapon of choice for this scenario would be the Framed-Pool attribute. However, I can't figure out where to set the IP pools and their names on the pfSense. The StrongSwan documentation suggests that this could be set in the swanctl.conf. From tinkering with the config files on the pfSense, my impression is that pfSense uses ipsec.conf instead of the newer swanctl.conf, is this correct?

    Is there a different way to set multiple IP pools which can be selected via Framed-Pool?


    • Abbys

  • Solved - turned out that the framed-pool attribute is simply not processed by StrongSwan. You have to go with framedIP.

  • @Abbys I'm trying to do something similar can you share how you were able to configure this?

  • @Daz22 It is not possible the way it was intended (the conventional way: create AD groups for different network access rights, create a NPS policy for each group with different pools for which different firewall rules are set and pass the pools via Framed-Pool to the VPN server). You can see from the StrongSwan docs that Framed-Pool is not supported:
    I haven't finished this yet due to other projects but will use Framed-IP-Address. The difference in management is that you don’t put users into AD groups but manage their access based on their personal IP directly on the firewall.
    Hence, the user management will get a bit cumbersome, obviously, but we really need the access differentiation.
    So far, I have created a PowerShell script that sets a unique IP address from our client VPN range for all the relevant AD users (not that easy, because users come and go, the script should overwrite manual settings but not settings from its previous runs; if i remember correctly, I implemented this based on AD timestamps). It should also create a CSV for the admins to keep track of the user IPs in the future. Next, I will create the “groups” as aliases on the firewall and create firewall rules for the aliases. For access management, you would put a user IP into an alias or remove it.

Log in to reply