[strongSwan] Is eap_identity configuration supported?

Christophe Gouault christophe.gouault at 6wind.com
Thu Feb 24 17:21:53 CET 2011


Hi Andreas,

Andreas Steffen wrote:
> Hello Christophe,
>
> have a look at our EAP-SIM with EAP-Identity via EAP-radius
> example scenario:
>
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/
>
> Client "carol" defines both an IKEv2 and an EAP identity in ipsec.conf:
>
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/carol.ipsec.conf
>
> Gateway "moon" defines rightid with a wildcard (could also be %any)
> and eap_identity=%any
>
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/moon.ipsec.conf
>
> What you probably forgot and causes the following error message
>
>   
>> 13[IKE] EAP-Identity request configured, but not supported
>>     
>
> to be issued, is to load the eap-identity plugin on the server:
>
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/moon.strongswan.conf
>
> The command "ipsec statusall" should list the eap-identity plugin.
>   
Indeed, this plugin is missing, this is probably the reason.
I'll try to compile and load it.
> Best regards
>
> Andreas
>
> On 02/24/2011 03:42 PM, Christophe Gouault wrote:
>   
>> Hi all,
>>
>> I am currently doing IKEv2+EAP tests, using charon for both the client 
>> (EAP supplicant) and the server (EAP authenticator).
>> The version of strongSwan I use is 4.3.6.
>>
>> - the client side is configured to do EAP-AKA
>> - the server side is configured to do EAP-radius
>> - a radius server performs the EAP authentication
>>
>> I can successfully establish an IKE negotiation, but the EAP identity of 
>> the client is always set to its IKE identity (rightid field) instead of 
>> its configured EAP identity (eap_identity field).
>>
>> I tried various configurations:
>>
>> * the server is expected to ask the client for its EAP identity:
>>
>> client:
>> leftid=@clientfqdn
>> right=@serverfqdn
>> eap_identity=0111222333444555
>>
>> server:
>> leftid=@serverfqdn
>> rightid=%any
>> eap_identity=%
>>
>> * the server hardcodes the client identity:
>> client:
>> leftid=@clientfqdn
>> right=@serverfqdn
>> eap_identity=0111222333444555
>>
>> server:
>> leftid=@serverfqdn
>> rightid=%any
>> eap_identity=0111222333444555
>>
>> * I also tried to not specify the leftid, but the identity sent to the 
>> radius server is random data.
>>
>> I always have the same error message on the server:
>> 13[IKE] EAP-Identity request configured, but not supported
>> 13[IKE] initiating EAP_RADIUS method
>>
>> and the client IKE id (clientfqdn) is sent to the radius server for the 
>> authentication, instead of the client eap_identity (0111222333444555). I 
>> must set the client leftid to 0111222333444555 for the EAP 
>> authentication to succeed.
>>
>> Therefore, I am wondering if this eap_identity specification is actually 
>> supported?
>> Am I doing something wrong?
>>
>> I can give the full configuration on demand.
>>
>> Regards,
>> Christophe
>>     
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>   
Thanks and Regards,
Christophe.




More information about the Users mailing list