Discussion:
[strongSwan-dev] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message
Ravi Kanth Vanapalli
2016-10-10 20:13:19 UTC
Permalink
Hi all,

I have a situation wherein I need to alter the IDi slightly before the
EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message
should be different to IDi to be used for user private key lookup in the
EAP-TLS user authentication.

I see that the API 'eap_tls_create_peer' is being used, to initialize the
peer identitiy in TLSplugin.
This is being registered with plugin eap_tls_plugin.c

I am finding it difficult to know which module calls this API
eap_tls_create_peer to initialize EAP TLS peer identity.

Kindly provide any inputs regarding my issue.

Thank you very much.
--
Regards,
RaviKanth
Andreas Steffen
2016-10-11 07:54:47 UTC
Permalink
Hi Ravi,

why don't you use the eap_identity parameter?

Regards

Andreas
Post by Ravi Kanth Vanapalli
Hi all,
I have a situation wherein I need to alter the IDi slightly before the
EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message
should be different to IDi to be used for user private key lookup in the
EAP-TLS user authentication.
I see that the API 'eap_tls_create_peer' is being used, to initialize
the peer identitiy in TLSplugin.
This is being registered with plugin eap_tls_plugin.c
I am finding it difficult to know which module calls this API
eap_tls_create_peer to initialize EAP TLS peer identity.
Kindly provide any inputs regarding my issue.
Thank you very much.
--
Regards,
RaviKanth
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Ravi Kanth Vanapalli
2016-10-11 11:28:32 UTC
Permalink
Sure Andreas. Thank you for this valuable input. I will give a try.

Could you please confirm the difference between 1 and 2 below

1) auth->add(auth, AUTH_RULE_IDENTITY, id);
2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);

My understanding is that (1) is used to fill the IDi in the first IKE_AUTH
message.
Second one is used for Identitiy verification in EAP methods. eg. EAP-TLS
uses identity added in AUTH_RULE_EAP_IDENTITY for fetching the private
certificate.
(1) and (2) can be different.

Kindly confirm that my understanding is correct.

Thanks,
Ravikanth

On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen <
Post by Andreas Steffen
Hi Ravi,
why don't you use the eap_identity parameter?
Regards
Andreas
Post by Ravi Kanth Vanapalli
Hi all,
I have a situation wherein I need to alter the IDi slightly before the
EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message
should be different to IDi to be used for user private key lookup in the
EAP-TLS user authentication.
I see that the API 'eap_tls_create_peer' is being used, to initialize
the peer identitiy in TLSplugin.
This is being registered with plugin eap_tls_plugin.c
I am finding it difficult to know which module calls this API
eap_tls_create_peer to initialize EAP TLS peer identity.
Kindly provide any inputs regarding my issue.
Thank you very much.
--
Regards,
RaviKanth
======================================================================
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
--
Regards,

RaviKanth VN Vanapalli
Ph: (469) 999 7567
Email: ***@gmail.com
Ravi Kanth Vanapalli
2016-10-11 11:36:31 UTC
Permalink
Adding option (3) here.

3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id)

Which of the following identities (1),2 or 3 is used to fetch the private
key in EAP_TLS authentcation.


On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli <
Post by Ravi Kanth Vanapalli
Sure Andreas. Thank you for this valuable input. I will give a try.
Could you please confirm the difference between 1 and 2 below
1) auth->add(auth, AUTH_RULE_IDENTITY, id);
2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);
My understanding is that (1) is used to fill the IDi in the first IKE_AUTH
message.
Second one is used for Identitiy verification in EAP methods. eg. EAP-TLS
uses identity added in AUTH_RULE_EAP_IDENTITY for fetching the private
certificate.
(1) and (2) can be different.
Kindly confirm that my understanding is correct.
Thanks,
Ravikanth
On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen <
Post by Andreas Steffen
Hi Ravi,
why don't you use the eap_identity parameter?
Regards
Andreas
Post by Ravi Kanth Vanapalli
Hi all,
I have a situation wherein I need to alter the IDi slightly before the
EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message
should be different to IDi to be used for user private key lookup in the
EAP-TLS user authentication.
I see that the API 'eap_tls_create_peer' is being used, to initialize
the peer identitiy in TLSplugin.
This is being registered with plugin eap_tls_plugin.c
I am finding it difficult to know which module calls this API
eap_tls_create_peer to initialize EAP TLS peer identity.
Kindly provide any inputs regarding my issue.
Thank you very much.
--
Regards,
RaviKanth
======================================================================
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
--
Regards,
RaviKanth VN Vanapalli
--
Regards,

RaviKanth VN Vanapalli
Loading...