Hi Christophe, > Can charon pass through unknown EAP methods with eap-radius > authentication?
Yes: > vendor-specific methods can be specified in the form eap-type-vendor > (but I don't really understand how vendor-specific methods could be used > without extending charon). The daemon core itself can handle vendor specific EAP methods. We currently do not have such a method, but a (third party) plugin can register one. > I am wondering if the eap-radius "method" will pass through EAP > exchanges between the client and radius server when the EAP method used > by the client and radius server is not supported by charon. eap-radius is not a method, but just an implementation that uses a RADIUS backend server. If a gateway uses a configuration with eap-radius, it contacts the RADIUS server. The RADIUS server then will initiate a method based on its policy. The gateway acts more or less just as a IKEv2<->RADIUS bridge for EAP packets. The use of eap-radius is transparent to the client, it does not know that RADIUS is involved. > Typically, I would like to use the EAP-TLS and EAP-FRAP methods, that > are not supported by charon for now. EAP-TLS is in development, but not ready for production use yet. See the eap-tls git branch for details. EAP-FRAP is not supported at all. If the RADIUS server speaks EAP-TLS/EAP-FRAP, there is no special support required from the gateway side. I haven't tested it with vendor specific methods, though. Best regards Martin _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users