Hello Lev, Yes, configure the eap-dynamic plugin and use that as authentication method for the remote peer in the first (top most) conn. It negotiates the EAP method. Check the configurations available on the UsableExamples[1] page.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples Am 03.10.18 um 14:03 schrieb Lev Serebryakov: > I have several connection setups for IKEv2 in ipsec.conf: > > =============================== > conn %default > [...SKIPPED...] > # right - remote (client) side > right=%any > rightsendcert=never > rightsourceip=192.168.27.0/24,2001:19f0:5001:229c:dead::/96 > rightdns=8.8.8.8,8.8.4.4 > > conn ikev2-pubkey > keyexchange=ikev2 > auto=add > > conn ikev2-eap-tls > also="ikev2-pubkey" > rightauth=eap-tls > eap_identity=%identity > > conn ikev2-mschap > also="ikev2-pubkey" > rightauth=eap-mschapv2 > eap_identity=%identity > > conn ikev1-xauth > keyexchange=ikev1 > rightauth=xauth > auto=add > =============================== > > Such config is shown in many tutorials. Different auth schemes are > needed for different clients. > > But with this config I have problem with Windows 10 clients: I wan to > use EAP-MSCHAPv2 for Windows clients (username/password auth, without > client certs), but StrongSwan offers FIRST (EAP-TLS) scheme to windows > client ad authentication fails, as windows report that it could not find > compatible auth scheme. > > Is it possible to limit different schemes to different client types? >
signature.asc
Description: OpenPGP digital signature
