[strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message
Ravi Kanth Vanapalli
vvnrk.vanapalli at gmail.com
Tue Oct 11 18:02:59 CEST 2016
Dear Andreas,
Thank you for your valuable inputs. My issue is solved now.
Thanks,
Ravikanth
On Tue, Oct 11, 2016 at 8:47 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> aaa_identity is used by an EAP client to verify the identity
> in the TLS server certificate if it is different from the IKEv2
> server certificate.
>
> Regards
>
> Andreas
>
> On 11.10.2016 13:36, Ravi Kanth Vanapalli wrote:
> > Adding option (3) here.
> >
> > 3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id)
> >
> > Which of the following identities (1),2 or 3 is used to fetch the
> > private key in EAP_TLS authentcation.
> >
> >
> > On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli
> > <vvnrk.vanapalli at gmail.com <mailto:vvnrk.vanapalli at gmail.com>> wrote:
> >
> > Sure Andreas. Thank you for this valuable input. I will give a try.
> >
> > Could you please confirm the difference between 1 and 2 below
> >
> > 1) auth->add(auth, AUTH_RULE_IDENTITY, id);
> > 2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);
> >
> > My understanding is that (1) is used to fill the IDi in the first
> > IKE_AUTH message.
> > Second one is used for Identitiy verification in EAP methods. eg.
> > EAP-TLS uses identity added in AUTH_RULE_EAP_IDENTITY for fetching
> > the private certificate.
> > (1) and (2) can be different.
> >
> > Kindly confirm that my understanding is correct.
> >
> > Thanks,
> > Ravikanth
> >
> > On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen
> > <andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>> wrote:
> >
> > Hi Ravi,
> >
> > why don't you use the eap_identity parameter?
> >
> > Regards
> >
> > Andreas
> >
> > On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
> > > Hi all,
> > >
> > > I have a situation wherein I need to alter the IDi slightly
> > before the
> > > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH
> > message
> > > should be different to IDi to be used for user private key
> > lookup in the
> > > EAP-TLS user authentication.
> > >
> > > I see that the API 'eap_tls_create_peer' is being used, to
> > initialize
> > > the peer identitiy in TLSplugin.
> > > This is being registered with plugin eap_tls_plugin.c
> > >
> > > I am finding it difficult to know which module calls this API
> > > eap_tls_create_peer to initialize EAP TLS peer identity.
> > >
> > > Kindly provide any inputs regarding my issue.
> > >
> > > Thank you very much.
> > >
> > > --
> > > Regards,
> > > RaviKanth
> >
> > ============================================================
> ==========
> > Andreas Steffen
> > andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>
> > strongSwan - the Open Source VPN Solution!
> > www.strongswan.org <http://www.strongswan.org>
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[
> ITA-HSR]==
> >
> >
> >
> >
> > --
> > Regards,
> >
> > RaviKanth VN Vanapalli
> > Email: vvnrk.vanapalli at gmail.com <mailto:vvnrk.vanapalli at gmail.com>
> >
> >
> >
> >
> > --
> > Regards,
> >
> > RaviKanth VN Vanapalli
> >
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
--
Regards,
RaviKanth VN Vanapalli
Ph: (469) 999 7567
Email: vvnrk.vanapalli at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161011/bcb40c47/attachment.html>
More information about the Users
mailing list