[strongSwan] Can charon pass through unknown EAP methods with eap-radius authentication?
Martin Willi
martin at strongswan.org
Thu Jul 15 19:05:40 CEST 2010
Hi Christophe,
> Can charon pass through unknown EAP methods with eap-radius
> authentication?
Yes:
> vendor-specific methods can be specified in the form eap-type-vendor
> (but I don't really understand how vendor-specific methods could be used
> without extending charon).
The daemon core itself can handle vendor specific EAP methods. We
currently do not have such a method, but a (third party) plugin can
register one.
> I am wondering if the eap-radius "method" will pass through EAP
> exchanges between the client and radius server when the EAP method used
> by the client and radius server is not supported by charon.
eap-radius is not a method, but just an implementation that uses a
RADIUS backend server. If a gateway uses a configuration with
eap-radius, it contacts the RADIUS server. The RADIUS server then will
initiate a method based on its policy. The gateway acts more or less
just as a IKEv2<->RADIUS bridge for EAP packets.
The use of eap-radius is transparent to the client, it does not know
that RADIUS is involved.
> Typically, I would like to use the EAP-TLS and EAP-FRAP methods, that
> are not supported by charon for now.
EAP-TLS is in development, but not ready for production use yet. See the
eap-tls git branch for details. EAP-FRAP is not supported at all.
If the RADIUS server speaks EAP-TLS/EAP-FRAP, there is no special
support required from the gateway side. I haven't tested it with vendor
specific methods, though.
Best regards
Martin
More information about the Users
mailing list