<div dir="ltr">Hello Tobias,<div><br></div><div>Yes. As per your advice, i set the default eap-method in the Freeradius server to GTC...and it works as required. </div><div><br></div><div>Now the Android Strongswan-IKEv2 client [with "IKEv2 EAP (username/password)" menu item selected] is using EAP-GTC method to authenticate with the radius</div><div><br></div><div>- For Reference Info to other users:</div><div><br></div><div>1. The location/file to set on the freeradius server is "/usr/local/etc/raddb/mods-enabled/eap" and </div><div>2. The option to set is "default_eap_type = gtc" (the default/original setting will be "default_eap_type = md5")</div><div><br></div><div>3. And in the strongswan-server config continue to use "rightauth=eap-radius" (and "leftauth=pubkey")...as shown below:</div><div><br></div><div>===========================</div><div><div>conn WinAndrdClients_wEAP</div><div> left=172.16.32.201</div><div> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> right=%any</div><div> rightsourceip=192.168.113.10-192.168.113.61</div><div> leftauth=pubkey</div><div> rightauth=eap-radius<br></div><div><span style="white-space:pre"> </span>leftcert=HubGwCert.pem</div><div><span style="white-space:pre"> </span>leftid=<a href="http://HubGw.test.net">HubGw.test.net</a></div><div><span style="white-space:pre"> </span>rightid=%any</div><div><span style="white-space:pre"> </span>eap_identity=%any</div><div> modeconfig=pull</div><div> type=tunnel</div><div> keyexchange=ikev2</div><div><span style="white-space:pre"> </span>ike=aes256-sha1-modp1024!</div><div><span style="white-space:pre"> </span>esp=aes256-sha1!</div><div> auto=add</div></div><div><br></div><div>===========================</div><div><br></div><div><br></div><div>As for the EAP-TNC.....at this time its going way over my head as far as understanding the TNC architecture...so i will put in some time on this topic to understand and learn...seems interesting and the area to know for future vpn deployments...i will refer to the link you had mentioned..</div><div><br></div><div>Thank you so much for your help and advice...</div><div><br></div><div>with regards</div><div>Rajiv</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 29, 2017 at 5:59 PM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Rajiv,<br>
<br>
> - Observed that the client responds with EAP-MD5 as the method when<br>
> queried by server<br>
<br>
It responds with whatever EAP method the RADIUS server initiated, as<br>
long as it supports it. Only if it doesn't support the initiated method<br>
will it respond with an EAP-Nak and request a different method from the<br>
server (i.e. it sends a list of the methods it supports so the server<br>
can pick and initiate another one).<br>
<br>
> - My query for this menu-item is <br>
><br>
> a) How to enable/configure the this client to send or use ONLY<br>
> EAP-MSCHAPv2 as the method for user-authentication<br>
<br>
Change the RADIUS server config so it initiates EAP-MSCHAPv2, if that's<br>
what you want to use.<br>
<br>
> b) The same server connection entry is used for Windows-IKEv2 client and<br>
> here MSCHAPv2 is used and successfully authenticated by the same<br>
> radius-server<br>
<br>
Windows probably only supports EAP-MSCHAPv2, so I guess it will reject<br>
EAP-MD5 and request that the server initiate EAP-MSCHAPv2.<br>
<br>
> c) So iam assuming here that we need to do something at the client-end only<br>
<br>
No, the EAP method is initiated by the server.<br>
<br>
> d) - iam assuming as per what i have read..EAP-GTC requires a PEAP<br>
> tunnel (to radius-server)...<br>
<br>
It does not require it, the client actually does not support EAP-PEAP<br>
currently. EAP-GTC is sent securely within IKEv2, but clear to the<br>
RADIUS server, so make sure the connection between VPN and RADIUS server<br>
is secure.<br>
<br>
> Observation and query is that this menu-item can only be supported by<br>
> only Strongswan-server configured speicifically with rightauth2...This<br>
> method is NOT so prevalent or used in any other Interoperable<br>
> VPN-servers as far as i know...<br>
<br>
Only servers supporting RFC 4739 will be interoperable with this<br>
authentication method. The client will authenticate with a certificate<br>
during the first round and expect EAP authentication during the second.<br>
<br>
> 4. IKEv2 EAP-TNC (username/passwd)<br>
><br>
> when i tried this with standard server config for EAP-TLS...radius was<br>
> actually trying EAP-TTLS...or something like that<br>
><br>
> - effectively this seems to work with EAP-TTLS...so what is the required<br>
> configuration on server to use this menu selection?<br>
<br>
See [1].<br>
<br>
> In summary, my main query (among other queries above) is how to<br>
> configure strongswan server and this client to use EAP-GTC...using<br>
> Radius-server for AAA<br>
<br>
You don't have to configure the client or the strongSwan server but the<br>
RADIUS server, since it's the one initiating the EAP method.<br>
<br>
Regards,<br>
Tobias<br>
<br>
[1]<br>
<a href="https://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect#Android-BYOD-Security-based-on-the-TNC-framework" rel="noreferrer" target="_blank">https://wiki.strongswan.org/<wbr>projects/strongswan/wiki/<wbr>TrustedNetworkConnect#Android-<wbr>BYOD-Security-based-on-the-<wbr>TNC-framework</a><br>
</blockquote></div><br></div>