[strongSwan] Is eap_identity configuration supported?
Christophe Gouault
christophe.gouault at 6wind.com
Thu Feb 24 15:42:57 CET 2011
Hi all,
I am currently doing IKEv2+EAP tests, using charon for both the client
(EAP supplicant) and the server (EAP authenticator).
The version of strongSwan I use is 4.3.6.
- the client side is configured to do EAP-AKA
- the server side is configured to do EAP-radius
- a radius server performs the EAP authentication
I can successfully establish an IKE negotiation, but the EAP identity of
the client is always set to its IKE identity (rightid field) instead of
its configured EAP identity (eap_identity field).
I tried various configurations:
* the server is expected to ask the client for its EAP identity:
client:
leftid=@clientfqdn
right=@serverfqdn
eap_identity=0111222333444555
server:
leftid=@serverfqdn
rightid=%any
eap_identity=%
* the server hardcodes the client identity:
client:
leftid=@clientfqdn
right=@serverfqdn
eap_identity=0111222333444555
server:
leftid=@serverfqdn
rightid=%any
eap_identity=0111222333444555
* I also tried to not specify the leftid, but the identity sent to the
radius server is random data.
I always have the same error message on the server:
13[IKE] EAP-Identity request configured, but not supported
13[IKE] initiating EAP_RADIUS method
and the client IKE id (clientfqdn) is sent to the radius server for the
authentication, instead of the client eap_identity (0111222333444555). I
must set the client leftid to 0111222333444555 for the EAP
authentication to succeed.
Therefore, I am wondering if this eap_identity specification is actually
supported?
Am I doing something wrong?
I can give the full configuration on demand.
Regards,
Christophe
More information about the Users
mailing list