[strongSwan] Strongswan-IKEv2-Android-Client: How to config for EAP-GTC ONLY Authentiction Method, and Require clarification on other EAP methods config

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Mon Oct 2 08:01:22 CEST 2017


Hello Tobias,

Yes. As per your advice, i set the default eap-method in the Freeradius
server to GTC...and it works as required.

Now the Android Strongswan-IKEv2 client [with "IKEv2 EAP
(username/password)" menu item selected] is using EAP-GTC method to
authenticate with the radius

- For Reference Info to other users:

1. The location/file to set on the freeradius server is
"/usr/local/etc/raddb/mods-enabled/eap" and
2. The option to set is "default_eap_type = gtc" (the default/original
setting will be "default_eap_type = md5")

3. And in the strongswan-server config continue to use
"rightauth=eap-radius" (and "leftauth=pubkey")...as shown below:

===========================
conn WinAndrdClients_wEAP
        left=172.16.32.201
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=192.168.113.10-192.168.113.61
        leftauth=pubkey
        rightauth=eap-radius
leftcert=HubGwCert.pem
leftid=HubGw.test.net
rightid=%any
eap_identity=%any
        modeconfig=pull
        type=tunnel
        keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
        auto=add

===========================


As for the EAP-TNC.....at this time its going way over my head as far as
understanding the TNC architecture...so i will put in some time on this
topic to understand and learn...seems interesting and the area to know for
future vpn deployments...i will refer to the link you had mentioned..

Thank you so much for your help and advice...

with regards
Rajiv






On Fri, Sep 29, 2017 at 5:59 PM, Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Rajiv,
>
> > - Observed that the client responds with EAP-MD5 as the method when
> > queried by server
>
> It responds with whatever EAP method the RADIUS server initiated, as
> long as it supports it.  Only if it doesn't support the initiated method
> will it respond with an EAP-Nak and request a different method from the
> server (i.e. it sends a list of the methods it supports so the server
> can pick and initiate another one).
>
> > - My query for this menu-item is
> >
> > a) How to enable/configure the this client to send or use ONLY
> > EAP-MSCHAPv2 as the method for user-authentication
>
> Change the RADIUS server config so it initiates EAP-MSCHAPv2, if that's
> what you want to use.
>
> > b) The same server connection entry is used for Windows-IKEv2 client and
> > here MSCHAPv2 is used and successfully authenticated by the same
> > radius-server
>
> Windows probably only supports EAP-MSCHAPv2, so I guess it will reject
> EAP-MD5 and request that the server initiate EAP-MSCHAPv2.
>
> > c) So iam assuming here that we need to do something at the client-end
> only
>
> No, the EAP method is initiated by the server.
>
> > d) - iam assuming as per what i have read..EAP-GTC requires a PEAP
> > tunnel (to radius-server)...
>
> It does not require it, the client actually does not support EAP-PEAP
> currently.  EAP-GTC is sent securely within IKEv2, but clear to the
> RADIUS server, so make sure the connection between VPN and RADIUS server
> is secure.
>
> > Observation and query is that this menu-item can only be supported by
> > only Strongswan-server configured speicifically with rightauth2...This
> > method is NOT so prevalent or used in any other Interoperable
> > VPN-servers as far as i know...
>
> Only servers supporting RFC 4739 will be interoperable with this
> authentication method.  The client will authenticate with a certificate
> during the first round and expect EAP authentication during the second.
>
> > 4. IKEv2 EAP-TNC (username/passwd)
> >
> > when i tried this with standard server config for EAP-TLS...radius was
> > actually trying EAP-TTLS...or something like that
> >
> > - effectively this seems to work with EAP-TTLS...so what is the required
> > configuration on server to use this menu selection?
>
> See [1].
>
> > In summary, my main query (among other queries above) is how to
> > configure strongswan server and this client to use EAP-GTC...using
> > Radius-server for AAA
>
> You don't have to configure the client or the strongSwan server but the
> RADIUS server, since it's the one initiating the EAP method.
>
> Regards,
> Tobias
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/
> TrustedNetworkConnect#Android-BYOD-Security-based-on-the-TNC-framework
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171002/7f464d73/attachment.html>


More information about the Users mailing list