<div dir="ltr"><div style="font-size:small">Hello,</div><div style="font-size:small"><br></div><div style="font-size:small">Thanks again for the timely response. I'm still not 100% clear on the way these protocols interact so I made an attempt at diagramming it:</div><div style="font-size:small"><br></div><div style="font-size:small"><font face="monospace">rightauth=eap-radius</font></div><div style="font-size:small"><font face="monospace"><br></font></div><font size="2"><font face="monospace">------------ IKEv2 </font><span style="font-family:monospace">------------ RADIUS </span><span style="font-family:monospace">---------</span></font><div style="font-size:small"><font face="monospace">| client | -- EAP -- | strong | -- EAP -- | AAA |</font></div><div style="font-size:small"><font face="monospace">------------ </font><span style="font-family:monospace">------------ </span><span style="font-family:monospace">---------</span></div><div style="font-size:small"><span style="font-family:monospace"><br></span></div><div style="font-size:small"><div><font face="monospace">rightauth=eap-radius</font></div><div><font face="monospace">rightauth2=xauth-radius</font></div><div><font face="monospace"><br></font></div><font face="monospace">------------ IKEv2 </font><span style="font-family:monospace">------------ RADIUS </span><span style="font-family:monospace">---------</span><div><font face="monospace">| client | -- EAP -- | strong | -- EAP -- | AAA |</font></div><div><font face="monospace">------------ </font><span style="font-family:monospace">------------ <XAUTH> </span><span style="font-family:monospace">---------</span></div></div><div style="font-size:small"><div><br></div></div><div style="font-size:small">If this is correct, then that definitely explains what I am seeing in my packet captures.</div><br class="inbox-inbox-inbox-inbox-Apple-interchange-newline" style="font-size:small"><div style="font-size:small">Here is the situation I was hoping for, as the PAP RADIUS proxy won't accept the forwarded EAP packets:</div><div style="font-size:small"> </div><div style="font-size:small"><div><div><font face="monospace">rightauth=eap-radius</font></div><div><font face="monospace">rightauth2=xauth-radius</font></div><div><font face="monospace"><br></font></div><font face="monospace">------------ IKEv2 </font><span style="font-family:monospace">------------ RADIUS </span><span style="font-family:monospace">---------</span><div><font face="monospace">| client | -- EAP -- | strong | --XAUTH-- | AAA |</font></div><div><font face="monospace">------------ </font><span style="font-family:monospace">------------ </span><span style="font-family:monospace">---------</span></div></div><br class="inbox-inbox-inbox-inbox-Apple-interchange-newline"></div><div style="font-size:small">Is there any current plugin configuration that will let me accomplish something like this, or will I have to downgrade my client's configuration back to IKEv1?</div><div style="font-size:small"><br></div><div style="font-size:small">Cheers,</div><div style="font-size:small">-Kyle</div><br class="inbox-inbox-Apple-interchange-newline"></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Dec 22, 2017 at 1:29 PM Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
No.<br>
eap-radius encapsulates EAP packets in RADIUS packets.<br>
xauth-eap encapsulates the XAUTH conversation in an EAP conversation in RADIUS packets.<br>
They do not interact with each other beyond that they are implemented by the same plugin and use the same configuration files.<br>
The use of either method does not impact the other.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
On 22.12.2017 22:20, Kyle Seever wrote:<br>
> Hi Noel,<br>
><br>
> Thanks for the quick response. To make sure I understand fully - without the /xauth-radius/ backend, /eap-radius/ simply encapsulates the EAP packets originating from the client within the RADIUS protocol back to the AAA. With /xauth-radius/, it sends XAuth credentials directly to the AAA via RADIUS (from the documentation: ".. to directly verify XAuth credentials using RADIUS User-Name and User-Password attributes.").<br>
><br>
> That's where I picked up the 'translate EAP to XAuth' thought. What happens to the EAP encapsulation in this exchange? Are the XAuth credentials still nested within the EAP transfer?<br>
><br>
> Thanks again,<br>
> -Kyle<br>
><br>
> On Fri, Dec 22, 2017 at 12:52 PM Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:<br>
><br>
> Hi,<br>
><br>
> The xauth-radius authentication method encapsulates the XAUTH credentials in RADIUS packets. It does not translate an EAP conversation to XAUTH.<br>
><br>
> Kind regards<br>
><br>
> Noel<br>
><br>
><br>
> On 22.12.2017 21:33, Kyle Seever wrote:<br>
> > Hello,<br>
> ><br>
> > I am currently trying to integrate strongSwan (v5.3.5) with a PAP-only RADIUS proxy. Currently, I'm using a client profile of IKEv2 with EAP which connects to strongSwan without issue. strongSwan is configured with /rightauth=eap-radius/ and /rightauth2=xauth-radius:profile/. My reading of the eap-radius#xauth <<a href="https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius#XAuth" rel="noreferrer" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius#XAuth</a>> plugin was such that it would translate the EAP conversation to regular XAuth credentials sent to the RADIUS backend via the regular User-Name and User-Password attributes. When I inspect the network traffic, the plugin is still encapsulating the EAP messages back to the AAA.<br>
> ><br>
> > What am I misunderstanding about the builtin XAuth backend in the plugin, and what are some options I have going forward? Will I have to downgrade to traditional XAuth over IKEv1?<br>
> ><br>
> > Thanks in advance,<br>
> > -Kyle<br>
><br>
<br>
</blockquote></div>