[strongSwan] Strongswan-IKEv2-Android-Client: How to config for EAP-GTC ONLY Authentiction Method, and Require clarification on other EAP methods config

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Fri Sep 29 13:25:10 CEST 2017


Hello

I have been using the Android-Strongswan-IKEv2-Client (on a Android-v5.1
run Motorola-E series 3G phone)...

- with FreeRadius-serverr-v3.x for AAA authentication of the vpn clients.
- The Strongswan-v5.5.1 is running on a Ubuntu-14x-LTS host
- i also have some hosts in the lan-side of the VPN-server to which the
clients connect after tunnel is up.

The usage topology-setup is as below

(freeradius-server)----(lan)[Strongswan-server](wan)-----internet------[Android-Phone]

- Iam using "rightauth=eap-radius" and "eap_identity=%any" always
- Iam also using "leftsendcert=always" and "rightsendcert=never" for all
EAP-based server connection entries

I have some queries on using the supported EAP methods on this client

The data/support-info says, this client supports
EAP-MD5/EAP-MSCHAPv2/EAP-GTC/EAP-TLS (and also there is a EAP-TNC method
which seems to be EAP-TTLS as per the observations on the Radius-server
log-traces)

Now in the Strongswan-IKEv2 client-menu the following is available for
selection and which i tried each of them (and my observations and queries
are listed under each menu-item)


1. IKEv2-EAP (username/password)

- Here there is NO client-cert used
- only point to the imported CA-cert (that signed the Server-cert)
- Username-Password authenticated by FreeRadius-server
- Tunnel is successfully established & UP.

- Observed that the client responds with EAP-MD5 as the method when queried
by server

- My query for this menu-item is

a) How to enable/configure the this client to send or use ONLY EAP-MSCHAPv2
as the method for user-authentication
b) The same server connection entry is used for Windows-IKEv2 client and
here MSCHAPv2 is used and successfully authenticated by the same
radius-server
c) So iam assuming here that we need to do something at the client-end only

d) - iam assuming as per what i have read..EAP-GTC requires a PEAP tunnel
(to radius-server)...so is this the menu where i can use PEAP WITH EAP-GTC?


3. IKEv2 Certificate + EAP (username/password)

- What exactly this menu for? I mean what type of IKEv2-authentication does
this support?

- When i configure this menu selection...what should be the config on
server side?

- The requirement to mandatorily configure/select a client-cert on this
client + username-passwd makes it looked like  a multiauthentication and i
therefore configured with the below options on the Strongswan server

-----------------
leftauth=pubkey,
rightauth=pubkey
rightauth2=eap-radius
leftid=<vpnsrvgw1.test.net>
rightid=*@test.net
eap_identity=%any
------------------------

- And it worked very nicely....The Tunnel is established successfully after
the EAP-MD5 username-auth was also validated by the radius server

Observation and query is that this menu-item can only be supported by only
Strongswan-server configured speicifically with rightauth2...This method is
NOT so prevalent or used in any other Interoperable VPN-servers as far as i
know...


4. IKEv2 EAP-TNC (username/passwd)

when i tried this with standard server config for EAP-TLS...radius was
actually trying EAP-TTLS...or something like that

- effectively this seems to work with EAP-TTLS...so what is the required
configuration on server to use this menu selection?


In summary, my main query (among other queries above) is how to configure
strongswan server and this client to use EAP-GTC...using Radius-server for
AAA

thanks & regards
Rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170929/7f3f39d0/attachment.html>


More information about the Users mailing list