[strongSwan] Integrating strongSwan with a PAP-only RADIUS backend

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Dec 22 21:51:21 CET 2017


The xauth-radius authentication method encapsulates the XAUTH credentials in RADIUS packets. It does not translate an EAP conversation to XAUTH.

Kind regards


On 22.12.2017 21:33, Kyle Seever wrote:
> Hello,
> I am currently trying to integrate strongSwan (v5.3.5) with a PAP-only RADIUS proxy. Currently, I'm using a client profile of IKEv2 with EAP which connects to strongSwan without issue. strongSwan is configured with /rightauth=eap-radius/ and /rightauth2=xauth-radius:profile/. My reading of the eap-radius#xauth <https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius#XAuth> plugin was such that it would translate the EAP conversation to regular XAuth credentials sent to the RADIUS backend via the regular User-Name and User-Password attributes. When I inspect the network traffic, the plugin is still encapsulating the EAP messages back to the AAA.
> What am I misunderstanding about the builtin XAuth backend in the plugin, and what are some options I have going forward? Will I have to downgrade to traditional XAuth over IKEv1?
> Thanks in advance,
> -Kyle

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171222/a9cdf4cb/attachment.sig>

More information about the Users mailing list