On Mon, Oct 22, 2012 at 5:37 PM, Tobias Brunner <[email protected]> wrote: > Hi, > >>>> I'm wondering if IOS devices will allow rsasig over xauthrsasig. >>> >>> As far as I know, they don't. >> >> That being the case ... if I wanted to still use xauthrsasig would it >> be feasible for me to patch strongswan (5.0.1) to use the "DN" of the >> client cert as the uniqueness check without much effort? Can you give >> any pointers to accomplish this? > > You may revert commit 0fbfcf2a [1] to use the IKE identities in > uniqueness checks.
Thanks. That is a big help! > But will your clients really all use the same XAuth > credentials? Yes. I'm really only using xauth as a piece of red-tape because the client (IOS) mandates it. The client certificates will really identify my users. The CRL list will remove banned or expired users. As a general point: perhaps my use-case is distorted somewhat but would it make sense to have this uniqueness criteria as a configuration option? Furthermore, does it not make sense that in the "xauthrsasig" case users should be considered unique on the DN *and* the xauth username? i.e. on the basis that with "rsasig" it uses DN to uniquely identify people then in the "xauthrsasig" should it not be both? Sorry if this is off base. Just thinking out loud. Thanks! _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
