[strongSwan] StrongSwan eap-radius with EAP-TLS, ASN.1 Radius-Username

Stefan Hartmann stefanh at hafenthal.de
Thu Mar 5 10:58:25 CET 2020


I tryed with the expr plugin to sanitize and mangle the User-Name sent 
from StrongSwan plugin eap-radius with EAP-TLS.

	update request {
                 &Tmp-String-8 := "%{escape:%{&User-Name}}"
                 &User-Name := &Tmp-String-8

but this leads to an senseful eap error in freeradius:
	(1) eap: Identity does not match User-Name, setting from EAP Identity
	1) eap: Failed in handler
	(1)     [eap] = invalid

Therefore if you will handle this raw parsed ASN.1-username from 
strongswan-plugin eap-radius you need far more effort.

Because of time constrainst I will run with the hack disabling the
whitespace and suffix checks.

But I have to replace many cisco ASAs with open source, therefore it 
would be nice if the strongswan developer can thought about suitable 
configuration options in eap-radius.conf.

Eg in cisco asa, in the tunnel-group you can select how the username 
sent to the AAA server is generated from the user certificate,
	 username-from-certificate CN|OU|use-entire-name|use-script ..

Ingenieurbuero fuer IT/EDV und Netzwerktechnik - Stefan Hartmann

On 03.03.20 21:04, Stefan Hartmann wrote:
> Hi,
> thank you for yout thoughts.
> Yes this is a workaround, I created policy.d/strongswan with 
> filter_username_custom in it.
> But it would be nice to have a readable and sanitized subject DN as 
> User-Name attribute.
> And what about proxying the request to another home-server with ASN.1 
> raw hex User-Name.
> Eventuelly I will test EAP-TLS with cisco IOS or ASA and look how they 
> mangle the username.

More information about the Users mailing list