> Selecting test-oti.dom.ch failed due to strongswan always using peer > 'dev' (the first one) and the eap_identity missmatching. Looks like > the peer config is selected before the eap-tls comes into play. Am I > missing something here?
Yes, the peer config is selected before EAP-TLS starts, as the daemon has to know, among other things, what EAP method to initiate. However, strongSwan knows a concept of "late configuration switching"; it allows to switch to a different (compatible) connection after authentication when it sees that the current selection is unacceptable. Unfortunately, the eap_identity option is not something you can use to do connection selection; as the manpage says, a non-%identity value does not do any matching based on the EAP-Identity, but it omits the EAP-Identity exchange and just uses the configured value as EAP-Identity. Further, any other selection mechanism (rightcert, rightcertpolicy etc.) wouldn't work either, as the information from the EAP exchange is not passed along to IKE configuration selection. Certainly something we could improve, but currently this is not done. So it seems that using EAP-TLS would help in selecting the certificate on the client, but does not allow you anymore to do connection matching as needed. I think both connection matching based on EAP-Identity and other EAP specific authentication details would be of great value. I'll see if we can get this done, but I probably won't find the time in the next few weeks. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
