[strongSwan] swanctl.conf EAP credential information

Tobias Brunner tobias at strongswan.org
Thu Nov 30 17:49:43 CET 2017


Hi,

The problem are the dots in the section names of your EAP secrets.  For
instance:

  eap-user1 at mydomain.com {
    id = user1 at mydomain.com
    secret=secret1
  }

When enumerating the id... keys in these sections the current section
name was written to a string buffer instead of using the parameter
evaluation provided by settings_t.  All dots in strings are interpreted
as section separators so the dot there caused a lookup of the section:

  eap-user1 at mydomain {
    com {
      ...
    }
  }

But since that doesn't exist no id... key was found in this section and
the secrets were not associated with any identities:

> Wed, 2017-11-29 10:59 07[CFG] vici client 1 requests: load-shared
> Wed, 2017-11-29 10:59 07[CFG] loaded EAP shared key with id 'eap-bls at mydomain.net' for: '%any'

This basically caused the first of these secrets to get used for all
clients.

I pushed a fix to the swanctl-enumerate-kv branch (for connections and
their subsections dots still can't be used, though).

As a workaround don't use any dots in these section names.

Regards,
Tobias


More information about the Users mailing list