[strongSwan] Using RADIUS EAP-TLS auth on the Strongswan Android app

Tobias Brunner tobias at strongswan.org
Thu Jun 29 12:55:05 CEST 2017


Hi Aanand,

> Can this capability be added in the next release? 

The problem is that some implementations (including strongSwan with
default settings) might not send a certificate back if they don't
receive a matching certificate request.  So disabling them will only
work if the server behaves appropriately.

Sending them all, by the way, is the same behavior seen with Windows'
built-in IKEv2 client.  And with IKEv2 fragmentation the size of the
IKE_AUTH messages is not an issue anymore (if the server supports it, of
course - since the Windows client does not support it, and does not
allow selecting a single CA, it actually is a problem there).  On the
other hand, the iOS IKEv2 client does not send any certificate requests
unless a specific CA is configured, therefore common server configs will
probably force sending the server certificate anyway (in strongSwan via
leftsendcert/send_cert=always).

So maybe we could add an option to avoid sending certificate requests
too, but the only use case I can see for this is reducing the size of
the IKE_AUTH message with servers that (1) do not support fragmentation
but (2) always send the certificate, and either the user doesn't know
which CA certificate she has to select (otherwise selecting the right
certificate should do the trick), or if more than one CA certificate is
required when using EAP-TLS.  However, for the latter we could also add
an option to select an additional specific AAA CA certificate (together
with the selected CA certificate for IKE that would then only add two
certificate requests to IKE_AUTH).

Regards,
Tobias


More information about the Users mailing list