Re: [strongSwan-dev] [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message
Adding option (3) here. 3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id) Which of the following identities (1),2 or 3 is used to fetch the private key in EAP_TLS authentcation. On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli < vvnrk.vanapa...@gmail.com> wrote: > Sure Andreas. Thank you for this valuable input. I will give a try. > > Could you please confirm the difference between 1 and 2 below > > 1) auth->add(auth, AUTH_RULE_IDENTITY, id); > 2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id); > > My understanding is that (1) is used to fill the IDi in the first IKE_AUTH > message. > Second one is used for Identitiy verification in EAP methods. eg. EAP-TLS > uses identity added in AUTH_RULE_EAP_IDENTITY for fetching the private > certificate. > (1) and (2) can be different. > > Kindly confirm that my understanding is correct. > > Thanks, > Ravikanth > > On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen < > andreas.stef...@strongswan.org> wrote: > >> Hi Ravi, >> >> why don't you use the eap_identity parameter? >> >> Regards >> >> Andreas >> >> On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote: >> > Hi all, >> > >> > I have a situation wherein I need to alter the IDi slightly before the >> > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message >> > should be different to IDi to be used for user private key lookup in the >> > EAP-TLS user authentication. >> > >> > I see that the API 'eap_tls_create_peer' is being used, to initialize >> > the peer identitiy in TLSplugin. >> > This is being registered with plugin eap_tls_plugin.c >> > >> > I am finding it difficult to know which module calls this API >> > eap_tls_create_peer to initialize EAP TLS peer identity. >> > >> > Kindly provide any inputs regarding my issue. >> > >> > Thank you very much. >> > >> > -- >> > Regards, >> > RaviKanth >> >> == >> Andreas Steffen andreas.stef...@strongswan.org >> strongSwan - the Open Source VPN Solution! www.strongswan.org >> Institute for Internet Technologies and Applications >> University of Applied Sciences Rapperswil >> CH-8640 Rapperswil (Switzerland) >> ===[ITA-HSR]== >> >> > > > -- > Regards, > > RaviKanth VN Vanapalli > Email: vvnrk.vanapa...@gmail.com > -- Regards, RaviKanth VN Vanapalli ___ Dev mailing list Dev@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/dev
Re: [strongSwan-dev] [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message
Sure Andreas. Thank you for this valuable input. I will give a try. Could you please confirm the difference between 1 and 2 below 1) auth->add(auth, AUTH_RULE_IDENTITY, id); 2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id); My understanding is that (1) is used to fill the IDi in the first IKE_AUTH message. Second one is used for Identitiy verification in EAP methods. eg. EAP-TLS uses identity added in AUTH_RULE_EAP_IDENTITY for fetching the private certificate. (1) and (2) can be different. Kindly confirm that my understanding is correct. Thanks, Ravikanth On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Ravi, > > why don't you use the eap_identity parameter? > > Regards > > Andreas > > On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote: > > Hi all, > > > > I have a situation wherein I need to alter the IDi slightly before the > > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message > > should be different to IDi to be used for user private key lookup in the > > EAP-TLS user authentication. > > > > I see that the API 'eap_tls_create_peer' is being used, to initialize > > the peer identitiy in TLSplugin. > > This is being registered with plugin eap_tls_plugin.c > > > > I am finding it difficult to know which module calls this API > > eap_tls_create_peer to initialize EAP TLS peer identity. > > > > Kindly provide any inputs regarding my issue. > > > > Thank you very much. > > > > -- > > Regards, > > RaviKanth > > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[ITA-HSR]== > > -- Regards, RaviKanth VN Vanapalli Ph: (469) 999 7567 Email: vvnrk.vanapa...@gmail.com ___ Dev mailing list Dev@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/dev
Re: [strongSwan-dev] [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message
Hi Ravi, why don't you use the eap_identity parameter? Regards Andreas On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote: > Hi all, > > I have a situation wherein I need to alter the IDi slightly before the > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message > should be different to IDi to be used for user private key lookup in the > EAP-TLS user authentication. > > I see that the API 'eap_tls_create_peer' is being used, to initialize > the peer identitiy in TLSplugin. > This is being registered with plugin eap_tls_plugin.c > > I am finding it difficult to know which module calls this API > eap_tls_create_peer to initialize EAP TLS peer identity. > > Kindly provide any inputs regarding my issue. > > Thank you very much. > > -- > Regards, > RaviKanth == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Dev mailing list Dev@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/dev
