[strongSwan] radius and certificate CN user authentication
martin at strongswan.org
Wed Sep 10 11:31:07 CEST 2014
> I had the following working config which nevertheless prompts for
> username and password on the device (iPhone):
The whole point of XAuth authentication is to verify a username/password
combination. You may disable XAuth if you don't want that. Not sure if
that can be configured in the iPhone UI, though.
> What can I do to use the CN value from certificate for radius account
> instead being prompted for the username and pwd?
You are "being prompted" regardless of RADIUS accounting, that is
unrelated. It is XAuth that prompts for username/password.
If a peer authenticates more than once (such as with XAuth), the
identity used for RADIUS accounting is the last identity authenticated.
When using XAuth, it is the XAuth username.
> 14[CFG] looking for XAuthInitRSA peer configs matching 10.30.10.213...10.30.10.121[00=AdaptiveMobile, CN=iphone-miro"]
> 14[IKE] no peer config found
A little more from your log, and the output of "ipsec statusall" would
certainly help in debugging this issue.
If your client is using Aggressive Mode, you'll have to set
aggressive=yes in ipsec.conf to match the connection.
More information about the Users