[strongSwan] swanctl.conf EAP credential information
Tobias Brunner
tobias at strongswan.org
Thu Nov 30 17:49:43 CET 2017
Hi,
The problem are the dots in the section names of your EAP secrets. For
instance:
eap-user1 at mydomain.com {
id = user1 at mydomain.com
secret=secret1
}
When enumerating the id... keys in these sections the current section
name was written to a string buffer instead of using the parameter
evaluation provided by settings_t. All dots in strings are interpreted
as section separators so the dot there caused a lookup of the section:
eap-user1 at mydomain {
com {
...
}
}
But since that doesn't exist no id... key was found in this section and
the secrets were not associated with any identities:
> Wed, 2017-11-29 10:59 07[CFG] vici client 1 requests: load-shared
> Wed, 2017-11-29 10:59 07[CFG] loaded EAP shared key with id 'eap-bls at mydomain.net' for: '%any'
This basically caused the first of these secrets to get used for all
clients.
I pushed a fix to the swanctl-enumerate-kv branch (for connections and
their subsections dots still can't be used, though).
As a workaround don't use any dots in these section names.
Regards,
Tobias
More information about the Users
mailing list