Hello Christophe, have a look at our EAP-SIM with EAP-Identity via EAP-radius example scenario:
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/ Client "carol" defines both an IKEv2 and an EAP identity in ipsec.conf: http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/carol.ipsec.conf Gateway "moon" defines rightid with a wildcard (could also be %any) and eap_identity=%any http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/moon.ipsec.conf What you probably forgot and causes the following error message > 13[IKE] EAP-Identity request configured, but not supported to be issued, is to load the eap-identity plugin on the server: http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/moon.strongswan.conf The command "ipsec statusall" should list the eap-identity plugin. Best regards Andreas On 02/24/2011 03:42 PM, Christophe Gouault wrote: > Hi all, > > I am currently doing IKEv2+EAP tests, using charon for both the client > (EAP supplicant) and the server (EAP authenticator). > The version of strongSwan I use is 4.3.6. > > - the client side is configured to do EAP-AKA > - the server side is configured to do EAP-radius > - a radius server performs the EAP authentication > > I can successfully establish an IKE negotiation, but the EAP identity of > the client is always set to its IKE identity (rightid field) instead of > its configured EAP identity (eap_identity field). > > I tried various configurations: > > * the server is expected to ask the client for its EAP identity: > > client: > leftid=@clientfqdn > right=@serverfqdn > eap_identity=0111222333444555 > > server: > leftid=@serverfqdn > rightid=%any > eap_identity=% > > * the server hardcodes the client identity: > client: > leftid=@clientfqdn > right=@serverfqdn > eap_identity=0111222333444555 > > server: > leftid=@serverfqdn > rightid=%any > eap_identity=0111222333444555 > > * I also tried to not specify the leftid, but the identity sent to the > radius server is random data. > > I always have the same error message on the server: > 13[IKE] EAP-Identity request configured, but not supported > 13[IKE] initiating EAP_RADIUS method > > and the client IKE id (clientfqdn) is sent to the radius server for the > authentication, instead of the client eap_identity (0111222333444555). I > must set the client leftid to 0111222333444555 for the EAP > authentication to succeed. > > Therefore, I am wondering if this eap_identity specification is actually > supported? > Am I doing something wrong? > > I can give the full configuration on demand. > > Regards, > Christophe ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
