Hi Andreas and Martin, Thanks a lot, it now works as expected thanks to your advice.
Best Regards, Christophe. Andreas Steffen wrote: > Hello Christophe, > > have a look at our EAP-SIM with EAP-Identity via EAP-radius > example scenario: > > http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/ > > Client "carol" defines both an IKEv2 and an EAP identity in ipsec.conf: > > http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/carol.ipsec.conf > > Gateway "moon" defines rightid with a wildcard (could also be %any) > and eap_identity=%any > > http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/moon.ipsec.conf > > What you probably forgot and causes the following error message > > >> 13[IKE] EAP-Identity request configured, but not supported >> > > to be issued, is to load the eap-identity plugin on the server: > > http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-id-radius/moon.strongswan.conf > > The command "ipsec statusall" should list the eap-identity plugin. > > Best regards > > Andreas > > On 02/24/2011 03:42 PM, Christophe Gouault wrote: > >> Hi all, >> >> I am currently doing IKEv2+EAP tests, using charon for both the client >> (EAP supplicant) and the server (EAP authenticator). >> The version of strongSwan I use is 4.3.6. >> >> - the client side is configured to do EAP-AKA >> - the server side is configured to do EAP-radius >> - a radius server performs the EAP authentication >> >> I can successfully establish an IKE negotiation, but the EAP identity of >> the client is always set to its IKE identity (rightid field) instead of >> its configured EAP identity (eap_identity field). >> >> I tried various configurations: >> >> * the server is expected to ask the client for its EAP identity: >> >> client: >> leftid=@clientfqdn >> right=@serverfqdn >> eap_identity=0111222333444555 >> >> server: >> leftid=@serverfqdn >> rightid=%any >> eap_identity=% >> >> * the server hardcodes the client identity: >> client: >> leftid=@clientfqdn >> right=@serverfqdn >> eap_identity=0111222333444555 >> >> server: >> leftid=@serverfqdn >> rightid=%any >> eap_identity=0111222333444555 >> >> * I also tried to not specify the leftid, but the identity sent to the >> radius server is random data. >> >> I always have the same error message on the server: >> 13[IKE] EAP-Identity request configured, but not supported >> 13[IKE] initiating EAP_RADIUS method >> >> and the client IKE id (clientfqdn) is sent to the radius server for the >> authentication, instead of the client eap_identity (0111222333444555). I >> must set the client leftid to 0111222333444555 for the EAP >> authentication to succeed. >> >> Therefore, I am wondering if this eap_identity specification is actually >> supported? >> Am I doing something wrong? >> >> I can give the full configuration on demand. >> >> Regards, >> Christophe >> > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
