[strongSwan] Integrating strongSwan with a PAP-only RADIUS backend

Kyle Seever kyledseever at gmail.com
Fri Dec 22 21:33:22 CET 2017


I am currently trying to integrate strongSwan (v5.3.5) with a PAP-only
RADIUS proxy. Currently, I'm using a client profile of IKEv2 with EAP which
connects to strongSwan without issue. strongSwan is configured with
*rightauth=eap-radius* and *rightauth2=xauth-radius:profile*. My reading of
the eap-radius#xauth
<https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius#XAuth> plugin
was such that it would translate the EAP conversation to regular XAuth
credentials sent to the RADIUS backend via the regular User-Name and
User-Password attributes. When I inspect the network traffic, the plugin is
still encapsulating the EAP messages back to the AAA.

What am I misunderstanding about the builtin XAuth backend in the plugin,
and what are some options I have going forward? Will I have to downgrade to
traditional XAuth over IKEv1?

Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171222/c3915088/attachment.html>

More information about the Users mailing list