<html><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:13px"><div id="yiv5265324806"><div id="yui_3_16_0_1_1440679083291_22306"><div style="color:#000;background-color:#fff;font-family:verdana, helvetica, sans-serif;font-size:13px;" id="yui_3_16_0_1_1440679083291_22305"><div id="yiv5265324806yui_3_16_0_1_1440679083291_19964"><span>Hi Andreas,</span></div><div id="yiv5265324806yui_3_16_0_1_1440679083291_19964"><span><br clear="none"></span></div><div id="yiv5265324806yui_3_16_0_1_1440679083291_19964"><span>Thanks for your reply!</span></div><div id="yiv5265324806yui_3_16_0_1_1440679083291_19964"><span><br clear="none"></span></div><div id="yiv5265324806yui_3_16_0_1_1440679083291_19964"><span id="yui_3_16_0_1_1440679083291_22307">On Win7 without SAN in the user cert, authentication fails. Based on the following link SAN must be same as CN in the user cert. With this setting Win7 IKEv2 client connects to the strongswan.</span></div><div dir="ltr" id="yiv5265324806yui_3_16_0_1_1440679083291_19964"><span id="yiv5265324806yui_3_16_0_1_1440679083291_20517"><a rel="nofollow" shape="rect" id="yiv5265324806yui_3_16_0_1_1440679083291_20514" target="_blank" href="https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq">https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq</a><br clear="none"></span></div><div dir="ltr" id="yiv5265324806yui_3_16_0_1_1440679083291_19964"><br clear="none"></div><div dir="ltr" id="yiv5265324806yui_3_16_0_1_1440679083291_19964">Is there any way to override the EAP identity to other than CN (==SAN)?</div><div dir="ltr" id="yiv5265324806yui_3_16_0_1_1440679083291_19964"><br></div><div dir="ltr" id="yiv5265324806yui_3_16_0_1_1440679083291_19964">Thanks,</div><div dir="ltr" id="yiv5265324806yui_3_16_0_1_1440679083291_19964">-Ajay</div><div dir="ltr" id="yiv5265324806yui_3_16_0_1_1440679083291_19964"><br></div><div id="yiv5265324806yui_3_16_0_1_1440679083291_19964"><span><br clear="none"></span></div><div id="yiv5265324806yui_3_16_0_1_1440679083291_19964"><span><br clear="none"></span></div>  <br clear="none"><div class="yiv5265324806qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv5265324806yqt1254892590" id="yiv5265324806yqt79344"></div></div></div></div><div class=".yiv5265324806yahoo_quoted"> <div style="font-family:verdana, helvetica, sans-serif;font-size:13px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr"> <font size="2" face="Arial"> On Thursday, August 27, 2015 7:04 PM, Andreas Steffen <andreas.steffen@strongswan.org> wrote:<br clear="none"> </font> </div>  <br clear="none"><br clear="none"> <div class="yiv5265324806y_msg_container">Hi Ajay,<br clear="none"><br clear="none">from my experience Windows 7/8 does not allow you to choose the<br clear="none">EAP Identity when using EAP-TLS with user certificates.<br clear="none">If a subjectAlternativeName is present in the certificate<br clear="none">then this is preferred over the subjectDistinguishedName (DN).<br clear="none"><br clear="none">What's new to me is that the CommonName (CN) would be chosen<br clear="none">as the EAP Identity.<br clear="none"><br clear="none">Regards<br clear="none"><br clear="none">Andreas<br clear="none"><div class="yiv5265324806yqt0239533497" id="yiv5265324806yqtfd62564"><br clear="none">On 27.08.2015 14:36, Ajay Agrawal wrote:<br clear="none">> Hi All,<br clear="none">><br clear="none">> Below is my default.ipsec.conf settings:<br clear="none">><br clear="none">> conn win7<br clear="none">>      keyexchange=ikev2<br clear="none">>      eap_identity=%any<br clear="none">>      leftauth=pubkey<br clear="none">>      rightauth=eap-tls<br clear="none">>      right=%any<br clear="none">>      left=%defaultroute<br clear="none">>      leftcert=vpn02.pem<br clear="none">>      leftsendcert=yes<br clear="none">>      rightsendcert=never<br clear="none">>      rightsourceip=10.100.128.0/17<br clear="none">>      leftsubnet=172.16.177.42/32<br clear="none">>      auto=add<br clear="none">><br clear="none">><br clear="none">> With this configuration, EAP identity received is the CN from client<br clear="none">> (user) certificate. We need to get the eap_identity in the form for full<br clear="none">> subject of the client certificate<br clear="none">> i.e. "/C=IN/ST=KA/L=*/O=*/OU=12345/CN=*/emailAddress=*". Any ideas how<br clear="none">> to achieve this? We need to get the full subject so that we can<br clear="none">> different connection profiles based on the different OU?<br clear="none">><br clear="none">> Thanks,<br clear="none">> -Ajay</div><br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none">> _______________________________________________<br clear="none">> Users mailing list<br clear="none">> <a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br clear="none">> <a rel="nofollow" shape="rect" target="_blank" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><br clear="none">><br clear="none"><br clear="none">-- <br clear="none">======================================================================<br clear="none">Andreas Steffen                         <a rel="nofollow" shape="rect" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br clear="none">strongSwan - the Open Source VPN Solution!          www.strongswan.org<br clear="none">Institute for Internet Technologies and Applications<br clear="none">University of Applied Sciences Rapperswil<br clear="none">CH-8640 Rapperswil (Switzerland)<br clear="none">===========================================================[ITA-HSR]==<div class="yiv5265324806yqt0239533497" id="yiv5265324806yqtfd87310"><br clear="none"></div><br clear="none"><br clear="none"></div>  </div> </div>  </div></div></body></html>