Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

>From the code it looks like, identity set using AUTH_RULE_EAP_IDENTITY is used only in the EAP Identity rounds . This identity is not being used for id check in API find_private_key in tls_peer.c Thanks, Ravikanth On Tue, Oct 11, 2016 at 12:09 PM, Ravi Kanth Vanapalli < vvnrk.vanapa...@gmail.com

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Dear Andreas, Looks my issue is not solved yet. I have modified the identity with the statement below (1) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id2); But still EAP-TLS is looking for Idenity set with 1) auth->add(auth, AUTH_RULE_IDENTITY, id1); Can you please help me with this issue.

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Dear Andreas, Thank you for your valuable inputs. My issue is solved now. Thanks, Ravikanth On Tue, Oct 11, 2016 at 8:47 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > aaa_identity is used by an EAP client to verify the identity > in the TLS server certificate if it is differen

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

aaa_identity is used by an EAP client to verify the identity in the TLS server certificate if it is different from the IKEv2 server certificate. Regards Andreas On 11.10.2016 13:36, Ravi Kanth Vanapalli wrote: > Adding option (3) here. > > 3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id) > > Whi

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Hi Ravi, yes, your understanding is correct. Regards Andraes On 11.10.2016 13:28, Ravi Kanth Vanapalli wrote: > Sure Andreas. Thank you for this valuable input. I will give a try. > > Could you please confirm the difference between 1 and 2 below > > 1) auth->add(auth, AUTH_RULE_IDENTITY, id);

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Adding option (3) here. 3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id) Which of the following identities (1),2 or 3 is used to fetch the private key in EAP_TLS authentcation. On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli < vvnrk.vanapa...@gmail.com> wrote: > Sure Andreas. Thank you for

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Sure Andreas. Thank you for this valuable input. I will give a try. Could you please confirm the difference between 1 and 2 below 1) auth->add(auth, AUTH_RULE_IDENTITY, id); 2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id); My understanding is that (1) is used to fill the IDi in the first IKE_

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Hi Ravi, why don't you use the eap_identity parameter? Regards Andreas On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote: > Hi all, > > I have a situation wherein I need to alter the IDi slightly before the > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message > should be diff