Hi Rajiv, > - Observed that the client responds with EAP-MD5 as the method when > queried by server
It responds with whatever EAP method the RADIUS server initiated, as long as it supports it. Only if it doesn't support the initiated method will it respond with an EAP-Nak and request a different method from the server (i.e. it sends a list of the methods it supports so the server can pick and initiate another one). > - My query for this menu-item isĀ > > a) How to enable/configure the this client to send or use ONLY > EAP-MSCHAPv2 as the method for user-authentication Change the RADIUS server config so it initiates EAP-MSCHAPv2, if that's what you want to use. > b) The same server connection entry is used for Windows-IKEv2 client and > here MSCHAPv2 is used and successfully authenticated by the same > radius-server Windows probably only supports EAP-MSCHAPv2, so I guess it will reject EAP-MD5 and request that the server initiate EAP-MSCHAPv2. > c) So iam assuming here that we need to do something at the client-end only No, the EAP method is initiated by the server. > d) - iam assuming as per what i have read..EAP-GTC requires a PEAP > tunnel (to radius-server)... It does not require it, the client actually does not support EAP-PEAP currently. EAP-GTC is sent securely within IKEv2, but clear to the RADIUS server, so make sure the connection between VPN and RADIUS server is secure. > Observation and query is that this menu-item can only be supported by > only Strongswan-server configured speicifically with rightauth2...This > method is NOT so prevalent or used in any other Interoperable > VPN-servers as far as i know... Only servers supporting RFC 4739 will be interoperable with this authentication method. The client will authenticate with a certificate during the first round and expect EAP authentication during the second. > 4. IKEv2 EAP-TNC (username/passwd) > > when i tried this with standard server config for EAP-TLS...radius was > actually trying EAP-TTLS...or something like that > > - effectively this seems to work with EAP-TTLS...so what is the required > configuration on server to use this menu selection? See [1]. > In summary, my main query (among other queries above) is how to > configure strongswan server and this client to use EAP-GTC...using > Radius-server for AAA You don't have to configure the client or the strongSwan server but the RADIUS server, since it's the one initiating the EAP method. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect#Android-BYOD-Security-based-on-the-TNC-framework
