[strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Ravi Kanth Vanapalli vvnrk.vanapalli at gmail.com
Tue Oct 11 13:36:31 CEST 2016


Adding option (3) here.

3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id)

Which of the following identities (1),2 or 3 is used to fetch the private
key in EAP_TLS authentcation.


On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli <
vvnrk.vanapalli at gmail.com> wrote:

> Sure Andreas. Thank you for this valuable input. I will give a try.
>
> Could you please confirm the difference between 1 and 2 below
>
> 1) auth->add(auth, AUTH_RULE_IDENTITY, id);
> 2)     auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);
>
> My understanding is that (1) is used to fill the IDi in the first IKE_AUTH
> message.
> Second one is used for Identitiy verification in EAP methods.  eg. EAP-TLS
> uses identity added in AUTH_RULE_EAP_IDENTITY for fetching the private
> certificate.
> (1) and (2) can be different.
>
> Kindly confirm that my understanding is correct.
>
> Thanks,
> Ravikanth
>
> On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hi Ravi,
>>
>> why don't you use the eap_identity parameter?
>>
>> Regards
>>
>> Andreas
>>
>> On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
>> > Hi all,
>> >
>> > I have a situation wherein I need to alter the IDi slightly before the
>> > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message
>> > should be different to IDi to be used for user private key lookup in the
>> > EAP-TLS user authentication.
>> >
>> > I see that the API 'eap_tls_create_peer' is being used, to initialize
>> > the peer identitiy in TLSplugin.
>> > This is being registered with plugin eap_tls_plugin.c
>> >
>> > I am finding it difficult to know which module calls this API
>> > eap_tls_create_peer to initialize EAP TLS peer identity.
>> >
>> > Kindly provide any inputs regarding my issue.
>> >
>> > Thank you very much.
>> >
>> > --
>> > Regards,
>> > RaviKanth
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>>
>
>
> --
> Regards,
>
> RaviKanth VN Vanapalli
> Email: vvnrk.vanapalli at gmail.com
>



-- 
Regards,

RaviKanth VN Vanapalli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161011/437975d1/attachment.html>


More information about the Users mailing list