[strongSwan] Strongswan-IKEv2-Android-Client: How to config for EAP-GTC ONLY Authentiction Method, and Require clarification on other EAP methods config

Tobias Brunner tobias at strongswan.org
Fri Sep 29 14:29:22 CEST 2017 

Hi Rajiv,

> - Observed that the client responds with EAP-MD5 as the method when
> queried by server

It responds with whatever EAP method the RADIUS server initiated, as
long as it supports it.  Only if it doesn't support the initiated method
will it respond with an EAP-Nak and request a different method from the
server (i.e. it sends a list of the methods it supports so the server
can pick and initiate another one).

> - My query for this menu-item isĀ 
> 
> a) How to enable/configure the this client to send or use ONLY
> EAP-MSCHAPv2 as the method for user-authentication

Change the RADIUS server config so it initiates EAP-MSCHAPv2, if that's
what you want to use.

> b) The same server connection entry is used for Windows-IKEv2 client and
> here MSCHAPv2 is used and successfully authenticated by the same
> radius-server

Windows probably only supports EAP-MSCHAPv2, so I guess it will reject
EAP-MD5 and request that the server initiate EAP-MSCHAPv2.

> c) So iam assuming here that we need to do something at the client-end only

No, the EAP method is initiated by the server.

> d) - iam assuming as per what i have read..EAP-GTC requires a PEAP
> tunnel (to radius-server)...

It does not require it, the client actually does not support EAP-PEAP
currently.  EAP-GTC is sent securely within IKEv2, but clear to the
RADIUS server, so make sure the connection between VPN and RADIUS server
is secure.

> Observation and query is that this menu-item can only be supported by
> only Strongswan-server configured speicifically with rightauth2...This
> method is NOT so prevalent or used in any other Interoperable
> VPN-servers as far as i know...

Only servers supporting RFC 4739 will be interoperable with this
authentication method.  The client will authenticate with a certificate
during the first round and expect EAP authentication during the second.

> 4. IKEv2 EAP-TNC (username/passwd)
> 
> when i tried this with standard server config for EAP-TLS...radius was
> actually trying EAP-TTLS...or something like that
> 
> - effectively this seems to work with EAP-TTLS...so what is the required
> configuration on server to use this menu selection?

See [1].

> In summary, my main query (among other queries above) is how to
> configure strongswan server and this client to use EAP-GTC...using
> Radius-server for AAA

You don't have to configure the client or the strongSwan server but the
RADIUS server, since it's the one initiating the EAP method.

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect#Android-BYOD-Security-based-on-the-TNC-framework

More information about the Users mailing list