[strongSwan] Is eap_identity configuration supported?

Andreas Steffen andreas.steffen at strongswan.org
Thu Feb 24 17:19:50 CET 2011 

Hello Christophe,

have a look at our EAP-SIM with EAP-Identity via EAP-radius
example scenario:

http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/

Client "carol" defines both an IKEv2 and an EAP identity in ipsec.conf:

http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/carol.ipsec.conf

Gateway "moon" defines rightid with a wildcard (could also be %any)
and eap_identity=%any

http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/moon.ipsec.conf

What you probably forgot and causes the following error message

> 13[IKE] EAP-Identity request configured, but not supported

to be issued, is to load the eap-identity plugin on the server:

http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/moon.strongswan.conf

The command "ipsec statusall" should list the eap-identity plugin.

Best regards

Andreas

On 02/24/2011 03:42 PM, Christophe Gouault wrote:
> Hi all,
> 
> I am currently doing IKEv2+EAP tests, using charon for both the client 
> (EAP supplicant) and the server (EAP authenticator).
> The version of strongSwan I use is 4.3.6.
> 
> - the client side is configured to do EAP-AKA
> - the server side is configured to do EAP-radius
> - a radius server performs the EAP authentication
> 
> I can successfully establish an IKE negotiation, but the EAP identity of 
> the client is always set to its IKE identity (rightid field) instead of 
> its configured EAP identity (eap_identity field).
> 
> I tried various configurations:
> 
> * the server is expected to ask the client for its EAP identity:
> 
> client:
> leftid=@clientfqdn
> right=@serverfqdn
> eap_identity=0111222333444555
> 
> server:
> leftid=@serverfqdn
> rightid=%any
> eap_identity=%
> 
> * the server hardcodes the client identity:
> client:
> leftid=@clientfqdn
> right=@serverfqdn
> eap_identity=0111222333444555
> 
> server:
> leftid=@serverfqdn
> rightid=%any
> eap_identity=0111222333444555
> 
> * I also tried to not specify the leftid, but the identity sent to the 
> radius server is random data.
> 
> I always have the same error message on the server:
> 13[IKE] EAP-Identity request configured, but not supported
> 13[IKE] initiating EAP_RADIUS method
> 
> and the client IKE id (clientfqdn) is sent to the radius server for the 
> authentication, instead of the client eap_identity (0111222333444555). I 
> must set the client leftid to 0111222333444555 for the EAP 
> authentication to succeed.
> 
> Therefore, I am wondering if this eap_identity specification is actually 
> supported?
> Am I doing something wrong?
> 
> I can give the full configuration on demand.
> 
> Regards,
> Christophe

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list