[strongSwan] StrongSwan eap-radius with EAP-TLS, ASN.1 Radius-Username

Stefan Hartmann stefanh at hafenthal.de
Thu Mar 5 17:34:44 CET 2020 

UPDATE and SOLVED:

After some hints from Tobias Brunner in an opened Issue I found the 
solution for me. You can adjust the EAP identity the strongSwan-client 
is sending:

# vpn-gw
...
remote {
     auth = eap-radius
     id =  "C = DE, O = ..."	# check the IKE identity
     eap_id = %any		# ASK the client for the eap-id

# rw
...
local
     auth = eap-tls
     certs = testuser-ldap.cert.pem
     eap_id = testuser-ldap at hafenthal.de		# this ID arrives at the AAA 
server as (outer) User-Name
     aaa_id = "C = DE, O = Ingenieurbuero fuer IT/EDV und 
Netzwerktechnik - Stefan Hartmann, OU = CA, CN = srv-kdc.hafenthal.de"


So no User-Name mangling is necessary for the outer ID on the freeradius 
and proxying and so on works also with EAP-TLS.

The real authn and authz are be done with the certificate attributes, 
not the client provided id.


-- 
stefanh
Ingenieurbuero fuer IT/EDV und Netzwerktechnik - Stefan Hartmann


On 05.03.20 10:58, Stefan Hartmann wrote:
> UPDATE:
> 
> I tryed with the expr plugin to sanitize and mangle the User-Name sent 
> from StrongSwan plugin eap-radius with EAP-TLS.
> 
> eg
>      ...
>      update request {
>                  &Tmp-String-8 := "%{escape:%{&User-Name}}"
>                  &User-Name := &Tmp-String-8
> 
> 
> but this leads to an senseful eap error in freeradius:
>      (1) eap: Identity does not match User-Name, setting from EAP Identity
>      1) eap: Failed in handler
>      (1)     [eap] = invalid
> 
> 
> Therefore if you will handle this raw parsed ASN.1-username from 
> strongswan-plugin eap-radius you need far more effort.
> 
> Because of time constrainst I will run with the hack disabling the
> whitespace and suffix checks.
> 
> But I have to replace many cisco ASAs with open source, therefore it 
> would be nice if the strongswan developer can thought about suitable 
> configuration options in eap-radius.conf.
> 
> Eg in cisco asa, in the tunnel-group you can select how the username 
> sent to the AAA server is generated from the user certificate,
>       username-from-certificate CN|OU|use-entire-name|use-script ..
> 
>

More information about the Users mailing list