[strongSwan] IKEv2 EAP identity

Andreas Steffen andreas.steffen at strongswan.org
Thu Aug 27 15:34:42 CEST 2015

Hi Ajay,

from my experience Windows 7/8 does not allow you to choose the
EAP Identity when using EAP-TLS with user certificates.
If a subjectAlternativeName is present in the certificate
then this is preferred over the subjectDistinguishedName (DN).

What's new to me is that the CommonName (CN) would be chosen
as the EAP Identity.



On 27.08.2015 14:36, Ajay Agrawal wrote:
> Hi All,
> Below is my default.ipsec.conf settings:
> conn win7
>      keyexchange=ikev2
>      eap_identity=%any
>      leftauth=pubkey
>      rightauth=eap-tls
>      right=%any
>      left=%defaultroute
>      leftcert=vpn02.pem
>      leftsendcert=yes
>      rightsendcert=never
>      rightsourceip=
>      leftsubnet=
>      auto=add
> With this configuration, EAP identity received is the CN from client
> (user) certificate. We need to get the eap_identity in the form for full
> subject of the client certificate
> i.e. "/C=IN/ST=KA/L=*/O=*/OU=12345/CN=*/emailAddress=*". Any ideas how
> to achieve this? We need to get the full subject so that we can
> different connection profiles based on the different OU?
> Thanks,
> -Ajay
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150827/6c048120/attachment-0001.bin>

More information about the Users mailing list