Hi Trevor, > Is PLUTO_XAUTH_ID (as passed to a user-defined updown script) 100% > trustworthy in an ikev2 / eap-tls / user certs connection scenario? > What I mean by that, is can it be selected, set, or spoofed by the > client?
Yes, it's trustworthy. While the client can send an arbitrary value, it has to match an identity in the certificate (either the subject DN or a SAN). > What I'm worried about, is that PLUTO_XAUTH_ID is trivially > user-definable and not verified through the cert chain; for instance > being pulled out of the debug log line below: > > Feb 27 01:12:35 pog charon: 10[IKE] received EAP identity '[email protected]' > > As that line appears before the cert lines I list above, I'm worried > that it's not verified against the certs. Yes, the EAP-Identity exchange precedes the EAP-TLS exchange, however, the identity is carried over and is verified against the certificate. > So I then tried user certs to select on EAP identity in the user cert. > Set that up then finally found a couple of emails/sites that said > strongswan can't switch conns based on identitiy. That's not entirely true. If you delegate the authentication to a RADIUS server it can send back class attributes that strongSwan can use to select configs (via rightgroups=<class>). That makes it easy to use different configs for multiple groups of users. But even without RADIUS you can match configs against EAP identities. It requires a dummy config that requests the EAP identities from the clients, though. Let's say you have two clients, one is [email protected] and one is [email protected], then you may configure the following: conn eap-tls-shared # options shared by all clients e.g. leftcert=... # or rightauth=eap-tls conn eap-tls-init also=eap-tls-shared # this config is used to do the EAP-Identity exchange and the # authentication of client and server eap_identity=%identity # the following is used to force a connection switch after # the authentication completed rightgroups=<any string that is not used as group/class> auto=add conn eap-tls-trevor also=eap-tls-shared [email protected] # any options that only apply to trevor follow here auto=add conn epa-tls-carol also=eap-tls-shared [email protected] # any options that only apply to carol follow here auto=add If carol connects now you'd see something like this in the log: > [IKE] authentication of '..., [email protected]' with EAP successful > [CFG] constraint check failed: group membership to '<value of rightgroups in > eap-tls-base>' required > [CFG] selected peer config 'eap-tls-base' inacceptable: non-matching > authentication done > [CFG] switching to peer config 'eap-tls-trevor' > [CFG] constraint check failed: EAP identity '[email protected]' required > [CFG] selected peer config 'eap-tls-trevor' inacceptable: non-matching > authentication done > [CFG] switching to peer config 'eap-tls-carol' > ... > IKE_SA eap-tls-carol[1] established between ... Regards, Tobias
