[strongSwan] PLUTO_XAUTH_ID trustworthy (by cert)?

Tobias Brunner tobias at strongswan.org
Tue Feb 27 11:44:57 CET 2018


Hi Trevor,

> Is PLUTO_XAUTH_ID (as passed to a user-defined updown script) 100%
> trustworthy in an ikev2 / eap-tls / user certs connection scenario?
> What I mean by that, is can it be selected, set, or spoofed by the
> client?

Yes, it's trustworthy.  While the client can send an arbitrary value, it
has to match an identity in the certificate (either the subject DN or a
SAN).

> What I'm worried about, is that PLUTO_XAUTH_ID is trivially
> user-definable and not verified through the cert chain; for instance
> being pulled out of the debug log line below:
> 
> Feb 27 01:12:35 pog charon: 10[IKE] received EAP identity 'trevor at foo.com'
> 
> As that line appears before the cert lines I list above, I'm worried
> that it's not verified against the certs.

Yes, the EAP-Identity exchange precedes the EAP-TLS exchange, however,
the identity is carried over and is verified against the certificate.

> So I then tried user certs to select on EAP identity in the user cert.
> Set that up then finally found a couple of emails/sites that said
> strongswan can't switch conns based on identitiy.

That's not entirely true.  If you delegate the authentication to a
RADIUS server it can send back class attributes that strongSwan can use
to select configs (via rightgroups=<class>).  That makes it easy to use
different configs for multiple groups of users.

But even without RADIUS you can match configs against EAP identities.
It requires a dummy config that requests the EAP identities from the
clients, though.  Let's say you have two clients, one is trevor at foo.com
and one is carol at foo.com, then you may configure the following:

  conn eap-tls-shared
     # options shared by all clients e.g.
     leftcert=...
     # or
     rightauth=eap-tls

  conn eap-tls-init
     also=eap-tls-shared
     # this config is used to do the EAP-Identity exchange and the
     # authentication of client and server
     eap_identity=%identity
     # the following is used to force a connection switch after
     # the authentication completed
     rightgroups=<any string that is not used as group/class>
     auto=add

  conn eap-tls-trevor
     also=eap-tls-shared
     eap_identity=trevor at foo.com
     # any options that only apply to trevor follow here
     auto=add

  conn epa-tls-carol
     also=eap-tls-shared
     eap_identity=carol at foo.com
     # any options that only apply to carol follow here
     auto=add

If carol connects now you'd see something like this in the log:

> [IKE] authentication of '..., CN=carol at foo.com' with EAP successful
> [CFG] constraint check failed: group membership to '<value of rightgroups in eap-tls-base>' required
> [CFG] selected peer config 'eap-tls-base' inacceptable: non-matching authentication done
> [CFG] switching to peer config 'eap-tls-trevor'
> [CFG] constraint check failed: EAP identity 'trevor at foo.com' required
> [CFG] selected peer config 'eap-tls-trevor' inacceptable: non-matching authentication done
> [CFG] switching to peer config 'eap-tls-carol'
> ...
> IKE_SA eap-tls-carol[1] established between ...

Regards,
Tobias


More information about the Users mailing list