[strongSwan] Can charon pass through unknown EAP methods with eap-radius authentication?

Christophe Gouault christophe.gouault at 6wind.com
Fri Jul 16 08:53:39 CEST 2010 

Andreas and Martin,

This is a good news, thanks you for help and prompt answer.

Best Regards

Christophe

Andreas Steffen wrote:
> Hello Christophe,
>
> in principle the strongSwan server-side eap-radius plugin relays
> any EAP protocol to and from a remote RADIUS server (even vendor-
> specific and unsupported methods) because the eap-radius plugin
> does not inspect and process the information embedded in the
> generic EAP messages. Thus EAP-TLS and EAP-FRAP should pass through
> smoothly (Martin, please contradict me if this isn't true ;-)  )
>
> Best regards
>
> Andreas

Martin Willi wrote:
> Hi Christophe,
>
>   
>> Can charon pass through unknown EAP methods with eap-radius
>> authentication?
>>     
>
> Yes:
>
>   
>> vendor-specific methods can be specified in the form eap-type-vendor 
>> (but I don't really understand how vendor-specific methods could be used 
>> without extending charon).
>>     
>
> The daemon core itself can handle vendor specific EAP methods. We
> currently do not have such a method, but a (third party) plugin can
> register one.
>
>   
>> I am wondering if the eap-radius "method" will pass through EAP 
>> exchanges between the client and radius server when the EAP method used 
>> by the client and radius server is not supported by charon.
>>     
> eap-radius is not a method, but just an implementation that uses a
> RADIUS backend server. If a gateway uses a configuration with
> eap-radius, it contacts the RADIUS server. The RADIUS server then will
> initiate a method based on its policy. The gateway acts more or less
> just as a IKEv2<->RADIUS bridge for EAP packets.
> The use of eap-radius is transparent to the client, it does not know
> that RADIUS is involved.
>   
Yes, this is what I had understood (that is why I surrounded method with 
quotes).
>> Typically, I would like to use the EAP-TLS and EAP-FRAP methods, that 
>> are not supported by charon for now.
>>     
>
> EAP-TLS is in development, but not ready for production use yet. See the
> eap-tls git branch for details. EAP-FRAP is not supported at all.
>
> If the RADIUS server speaks EAP-TLS/EAP-FRAP, there is no special
> support required from the gateway side. I haven't tested it with vendor
> specific methods, though.
>
> Best regards
> Martin
>
>   

-- 

Christophe GOUAULT
6WIND
Project Leader

Tel: +33 1 39 30 92 19
Fax: +33 1 39 30 92 11
http://www.6wind.com

Ce courriel ainsi que toutes les pièces jointes, est uniquement destiné 
à son ou ses destinataires. Il contient des informations confidentielles 
qui sont la propriété de 6WIND. Toute révélation, distribution ou copie 
des informations qu'il contient est strictement interdite. Si vous avez 
reçu ce message par erreur, veuillez immédiatement le signaler à 
l'émetteur et détruire toutes les données reçues

This e-mail message, including any attachments, is for the sole use of 
the intended recipient(s) and contains information that is confidential 
and proprietary to 6WIND. All unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, 
please contact the sender by reply e-mail and destroy all copies of the 
original message.

More information about the Users mailing list