[strongSwan] IKEv2 EAP identity

Ajay Agrawal ajay_agr at yahoo.com
Thu Aug 27 18:15:32 CEST 2015 

Hi Andreas,
Thanks for your reply!
On Win7 without SAN in the user cert, authentication fails. Based on the following link SAN must be same as CN in the user cert. With this setting Win7 IKEv2 client connects to the strongswan.https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq

Is there any way to override the EAP identity to other than CN (==SAN)?
Thanks,-Ajay


 


     On Thursday, August 27, 2015 7:04 PM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
   

 Hi Ajay,

from my experience Windows 7/8 does not allow you to choose the
EAP Identity when using EAP-TLS with user certificates.
If a subjectAlternativeName is present in the certificate
then this is preferred over the subjectDistinguishedName (DN).

What's new to me is that the CommonName (CN) would be chosen
as the EAP Identity.

Regards

Andreas

On 27.08.2015 14:36, Ajay Agrawal wrote:
> Hi All,
>
> Below is my default.ipsec.conf settings:
>
> conn win7
>      keyexchange=ikev2
>      eap_identity=%any
>      leftauth=pubkey
>      rightauth=eap-tls
>      right=%any
>      left=%defaultroute
>      leftcert=vpn02.pem
>      leftsendcert=yes
>      rightsendcert=never
>      rightsourceip=10.100.128.0/17
>      leftsubnet=172.16.177.42/32
>      auto=add
>
>
> With this configuration, EAP identity received is the CN from client
> (user) certificate. We need to get the eap_identity in the form for full
> subject of the client certificate
> i.e. "/C=IN/ST=KA/L=*/O=*/OU=12345/CN=*/emailAddress=*". Any ideas how
> to achieve this? We need to get the full subject so that we can
> different connection profiles based on the different OU?
>
> Thanks,
> -Ajay
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150827/a3d2501e/attachment-0001.html>

More information about the Users mailing list