[strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Andreas Steffen andreas.steffen at strongswan.org
Tue Oct 11 14:44:45 CEST 2016


Hi Ravi,

yes, your understanding is correct.

Regards

Andraes

On 11.10.2016 13:28, Ravi Kanth Vanapalli wrote:
> Sure Andreas. Thank you for this valuable input. I will give a try.
> 
> Could you please confirm the difference between 1 and 2 below
> 
> 1) auth->add(auth, AUTH_RULE_IDENTITY, id);
> 2)     auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);
> 
> My understanding is that (1) is used to fill the IDi in the first
> IKE_AUTH message.
> Second one is used for Identitiy verification in EAP methods.  eg.
> EAP-TLS uses identity added in AUTH_RULE_EAP_IDENTITY for fetching the
> private certificate.
> (1) and (2) can be different.
> 
> Kindly confirm that my understanding is correct.
> 
> Thanks,
> Ravikanth
> 
> On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
> 
>     Hi Ravi,
> 
>     why don't you use the eap_identity parameter?
> 
>     Regards
> 
>     Andreas
> 
>     On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
>     > Hi all,
>     >
>     > I have a situation wherein I need to alter the IDi slightly before the
>     > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message
>     > should be different to IDi to be used for user private key lookup
>     in the
>     > EAP-TLS user authentication.
>     >
>     > I see that the API 'eap_tls_create_peer' is being used, to initialize
>     > the peer identitiy in TLSplugin.
>     > This is being registered with plugin eap_tls_plugin.c
>     >
>     > I am finding it difficult to know which module calls this API
>     > eap_tls_create_peer to initialize EAP TLS peer identity.
>     >
>     > Kindly provide any inputs regarding my issue.
>     >
>     > Thank you very much.
>     >
>     > --
>     > Regards,
>     > RaviKanth
> 
>     ======================================================================
>     Andreas Steffen                       
>      andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>
>     strongSwan - the Open Source VPN Solution!         
>     www.strongswan.org <http://www.strongswan.org>
>     Institute for Internet Technologies and Applications
>     University of Applied Sciences Rapperswil
>     CH-8640 Rapperswil (Switzerland)
>     ===========================================================[ITA-HSR]==
> 
> 
> 
> 
> -- 
> Regards,
> 
> RaviKanth VN Vanapalli
> Ph: (469) 999 7567
> Email: vvnrk.vanapalli at gmail.com <mailto:vvnrk.vanapalli at gmail.com>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161011/dd57526b/attachment-0001.bin>


More information about the Users mailing list