> > The peer rejects authentication, but we can't see why on this end. Maybe > > the Aruba peer has more information about this failure in its log? > > This gives ERR_IPSEC_NO_MAP.
Hm, hard to say what this error means. Maybe Aruba or its community has more experience with this? > > Seems that the peer does not respond to the EAP-TLS message. Again, the > > Aruba log might have information why it doesn't continue. > > It's very unsure what fails here, we see an authentication error from > the radius but unsure what fails, if its the ID to certificate map or > the certificate itself. > Is there any way to get more debug information out of strongSwan for the > EAP-TLS authentication? EAP-TLS and its TLS stack use the tls logging group [1]. Increasing its level to 2 gives more info on the control flow. But probably you'll need to debug this on the other end and/or RADIUS. > Also, if I do not specify an leftid the DN from the certificate is used > and it fails even faster. Usually you specify an EAP-Identity to negotiate before EAP-TLS. Using a DN for it is usually not what you want, its binary encoding does not work very well inside EAP. E-mail or DNS names usually works better. You may specify it for both IKE and EAP using leftid, or with the eap_identity keyword for EAP only, man ipsec.conf for details. > I have UTF-8 characters in my DN, has there been problems with that in > strongSwan before? My DN is not displayed correctly in the terminal > from the strongSwan output but everything looks ok when checking the > certificate with openssl x509. We replace any non-ASCII characters with '?' before printing them to avoid messing up your console/log. DNs are not strings, but raw ASN1 DER encoding. Hence you should avoid using them in EAP identities. Regards Martin [1]https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
