[strongSwan] Anyone got strongSwan working with Aruba Networks (as a Aruba VIA client)?
martin at strongswan.org
Mon Apr 14 13:23:56 CEST 2014
> > The peer rejects authentication, but we can't see why on this end. Maybe
> > the Aruba peer has more information about this failure in its log?
> This gives ERR_IPSEC_NO_MAP.
Hm, hard to say what this error means. Maybe Aruba or its community has
more experience with this?
> > Seems that the peer does not respond to the EAP-TLS message. Again, the
> > Aruba log might have information why it doesn't continue.
> It's very unsure what fails here, we see an authentication error from
> the radius but unsure what fails, if its the ID to certificate map or
> the certificate itself.
> Is there any way to get more debug information out of strongSwan for the
> EAP-TLS authentication?
EAP-TLS and its TLS stack use the tls logging group . Increasing its
level to 2 gives more info on the control flow. But probably you'll need
to debug this on the other end and/or RADIUS.
> Also, if I do not specify an leftid the DN from the certificate is used
> and it fails even faster.
Usually you specify an EAP-Identity to negotiate before EAP-TLS. Using a
DN for it is usually not what you want, its binary encoding does not
work very well inside EAP. E-mail or DNS names usually works better. You
may specify it for both IKE and EAP using leftid, or with the
eap_identity keyword for EAP only, man ipsec.conf for details.
> I have UTF-8 characters in my DN, has there been problems with that in
> strongSwan before? My DN is not displayed correctly in the terminal
> from the strongSwan output but everything looks ok when checking the
> certificate with openssl x509.
We replace any non-ASCII characters with '?' before printing them to
avoid messing up your console/log. DNs are not strings, but raw ASN1 DER
encoding. Hence you should avoid using them in EAP identities.
More information about the Users