[strongSwan] Enforcing multiple-authentication locally when the remote does not

Martin Willi martin at strongswan.org
Wed Feb 27 16:17:36 CET 2013


> What I want is to configure the local to demand that the remote issue
> an eap challenge to the local.

This is automatically done if you configure "leftauth=eap", see below.
But this does not require that a mutual EAP method is used where the
responder gets authenticated, too.

> What I think you have implemented is that both sides issue eap
> challenges to each other ?

No. There is no way that a responder can request the initiator to do
EAP. This is always triggered by the initiator (by omitting the AUTH
payload). The responder then must start EAP authentication using EAP
payloads.

EAP in IKEv2 is asymmetric. If you configure "rightauth=eap-whatever" on
the responder, the initiator MUST trigger EAP (again, by omitting the
AUTH payload). However, for "rightauth=eap" on the initiator, there is
no way the responder can do its own EAP exchange. Instead, this means
that the responder must have been authenticated in the initiators EAP
exchange using a mutual EAP method, such as EAP-AKA or EAP-TLS.

Regards
Martin





More information about the Users mailing list