[strongSwan] eap-dynamic (eap-tls, eap-mschapv2) and cacerts constraints
Andreas Weigel
andreas.weigel at securepoint.de
Fri Aug 5 21:44:37 CEST 2022
Hi everyone,
I have a setup in which a gateway uses eap-dynamic to authenticate
clients using either eap-mschapv2 or eap-tls, basically the same as
https://www.strongswan.org/testing/testresults/ikev2/rw-eap-dynamic/.
Now, if I try to specify the cacerts parameter in the remote section
of the connection to restrict the accepted certificates for clients
using eap-tls, clients can no longer connect using eap-mschapv2:
2022-08-05T15:08:29.910-04:00|charon||10[IKE] <hc_gw_eap|1>
authentication of 'test' with EAP successful
2022-08-05T15:08:29.912-04:00|charon||10[CFG] <hc_gw_eap|1> constraint
check failed: peer not authenticated by CA '[...]'
With the cacerts parameter removed, the connection works.
Is this intended behavior? On first glance, it would make sense to me
to be able to use the cacerts (or certs) constraint to restrict
eap-dynamic->eap-tls clients to that one CA in the presence of
multiple connections on the same device that may use a different CA or
certificates.
Kind regards,
Andreas
More information about the Users
mailing list