[strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Ravi Kanth Vanapalli vvnrk.vanapalli at gmail.com
Tue Oct 11 18:47:41 CEST 2016


>From the code it looks like, identity set using AUTH_RULE_EAP_IDENTITY is
used only in the EAP Identity rounds .
This identity is not being used for id check in API find_private_key in
tls_peer.c

Thanks,
Ravikanth

On Tue, Oct 11, 2016 at 12:09 PM, Ravi Kanth Vanapalli <
vvnrk.vanapalli at gmail.com> wrote:

> Dear Andreas,
>    Looks my issue is not solved yet.
>   I have modified the  identity with the statement below
> (1)     auth->add(auth, AUTH_RULE_EAP_IDENTITY, id2);
>
> But still EAP-TLS is looking for Idenity set with
>
> 1) auth->add(auth, AUTH_RULE_IDENTITY, id1);
>
> Can you please help me with this issue.
>
> Thanks,
> Ravikanth
>
> On Tue, Oct 11, 2016 at 12:02 PM, Ravi Kanth Vanapalli <
> vvnrk.vanapalli at gmail.com> wrote:
>
>> Dear Andreas,
>>   Thank you for your valuable inputs. My issue is solved now.
>>
>> Thanks,
>> Ravikanth
>>
>> On Tue, Oct 11, 2016 at 8:47 AM, Andreas Steffen <
>> andreas.steffen at strongswan.org> wrote:
>>
>>> aaa_identity is used by an EAP client to verify the identity
>>> in the TLS server certificate if it is different from the IKEv2
>>> server certificate.
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>> On 11.10.2016 13:36, Ravi Kanth Vanapalli wrote:
>>> > Adding option (3) here.
>>> >
>>> > 3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id)
>>> >
>>> > Which of the following identities (1),2 or 3 is used to fetch the
>>> > private key in EAP_TLS authentcation.
>>> >
>>> >
>>> > On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli
>>> > <vvnrk.vanapalli at gmail.com <mailto:vvnrk.vanapalli at gmail.com>> wrote:
>>> >
>>> >     Sure Andreas. Thank you for this valuable input. I will give a try.
>>> >
>>> >     Could you please confirm the difference between 1 and 2 below
>>> >
>>> >     1) auth->add(auth, AUTH_RULE_IDENTITY, id);
>>> >     2)     auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);
>>> >
>>> >     My understanding is that (1) is used to fill the IDi in the first
>>> >     IKE_AUTH message.
>>> >     Second one is used for Identitiy verification in EAP methods.  eg.
>>> >     EAP-TLS uses identity added in AUTH_RULE_EAP_IDENTITY for fetching
>>> >     the private certificate.
>>> >     (1) and (2) can be different.
>>> >
>>> >     Kindly confirm that my understanding is correct.
>>> >
>>> >     Thanks,
>>> >     Ravikanth
>>> >
>>> >     On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen
>>> >     <andreas.steffen at strongswan.org
>>> >     <mailto:andreas.steffen at strongswan.org>> wrote:
>>> >
>>> >         Hi Ravi,
>>> >
>>> >         why don't you use the eap_identity parameter?
>>> >
>>> >         Regards
>>> >
>>> >         Andreas
>>> >
>>> >         On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
>>> >         > Hi all,
>>> >         >
>>> >         > I have a situation wherein I need to alter the IDi slightly
>>> >         before the
>>> >         > EAP-TLS authentication proceeds. I.e IDi in the first
>>> IKE_AUTH
>>> >         message
>>> >         > should be different to IDi to be used for user private key
>>> >         lookup in the
>>> >         > EAP-TLS user authentication.
>>> >         >
>>> >         > I see that the API 'eap_tls_create_peer' is being used, to
>>> >         initialize
>>> >         > the peer identitiy in TLSplugin.
>>> >         > This is being registered with plugin eap_tls_plugin.c
>>> >         >
>>> >         > I am finding it difficult to know which module calls this API
>>> >         > eap_tls_create_peer to initialize EAP TLS peer identity.
>>> >         >
>>> >         > Kindly provide any inputs regarding my issue.
>>> >         >
>>> >         > Thank you very much.
>>> >         >
>>> >         > --
>>> >         > Regards,
>>> >         > RaviKanth
>>> >
>>> >         ===========================================================
>>> ===========
>>> >         Andreas Steffen
>>> >          andreas.steffen at strongswan.org
>>> >         <mailto:andreas.steffen at strongswan.org>
>>> >         strongSwan - the Open Source VPN Solution!
>>> >         www.strongswan.org <http://www.strongswan.org>
>>> >         Institute for Internet Technologies and Applications
>>> >         University of Applied Sciences Rapperswil
>>> >         CH-8640 Rapperswil (Switzerland)
>>> >         ===========================================================
>>> [ITA-HSR]==
>>> >
>>> >
>>> >
>>> >
>>> >     --
>>> >     Regards,
>>> >
>>> >     RaviKanth VN Vanapalli
>>> >     Email: vvnrk.vanapalli at gmail.com <mailto:vvnrk.vanapalli at gmail.com
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Regards,
>>> >
>>> > RaviKanth VN Vanapalli
>>> >
>>>
>>> --
>>> ======================================================================
>>> Andreas Steffen                         andreas.steffen at strongswan.org
>>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil
>>> CH-8640 Rapperswil (Switzerland)
>>> ===========================================================[ITA-HSR]==
>>>
>>>
>>
>>
>> --
>> Regards,
>>
>> RaviKanth VN Vanapalli
>> Ph: (469) 999 7567
>> Email: vvnrk.vanapalli at gmail.com
>>
>
>
>
> --
> Regards,
>
> RaviKanth VN Vanapalli
> Ph: (469) 999 7567
> Email: vvnrk.vanapalli at gmail.com
>



-- 
Regards,

RaviKanth VN Vanapalli
Ph: (469) 999 7567
Email: vvnrk.vanapalli at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161011/8408b978/attachment.html>


More information about the Users mailing list