Hi all, I am currently doing IKEv2+EAP tests, using charon for both the client (EAP supplicant) and the server (EAP authenticator). The version of strongSwan I use is 4.3.6.
- the client side is configured to do EAP-AKA - the server side is configured to do EAP-radius - a radius server performs the EAP authentication I can successfully establish an IKE negotiation, but the EAP identity of the client is always set to its IKE identity (rightid field) instead of its configured EAP identity (eap_identity field). I tried various configurations: * the server is expected to ask the client for its EAP identity: client: leftid=@clientfqdn right=@serverfqdn eap_identity=0111222333444555 server: leftid=@serverfqdn rightid=%any eap_identity=% * the server hardcodes the client identity: client: leftid=@clientfqdn right=@serverfqdn eap_identity=0111222333444555 server: leftid=@serverfqdn rightid=%any eap_identity=0111222333444555 * I also tried to not specify the leftid, but the identity sent to the radius server is random data. I always have the same error message on the server: 13[IKE] EAP-Identity request configured, but not supported 13[IKE] initiating EAP_RADIUS method and the client IKE id (clientfqdn) is sent to the radius server for the authentication, instead of the client eap_identity (0111222333444555). I must set the client leftid to 0111222333444555 for the EAP authentication to succeed. Therefore, I am wondering if this eap_identity specification is actually supported? Am I doing something wrong? I can give the full configuration on demand. Regards, Christophe _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
