[strongSwan] eap-md5: constraint requires public key authentication, but EAP was used

Tobias Brunner tobias at strongswan.org
Wed Feb 11 17:00:15 CET 2015

Hi Michael,

> no. the problem was that in the destict TNC documentation
> https://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect and 
> the links in this site there is no mentioning switching off 
> multiple_authentication in charon.conf:
> multiple_authentication = no
> It is included in the documention web sites you mentioned. But searching for 
> "strongswan tnc" give the above mentioned website on top.

As Andreas wrote at [1] too, that option does not have to be disabled
for TNC or mutual EAP to work.  In fact, the ikev2/rw-eap-ttls-only
scenario mentioned by Martin completes just fine without disabling
multiple authentication rounds.  If you have proof otherwise, please
extend the bug report you opened.


[1] https://wiki.strongswan.org/issues/822

More information about the Users mailing list