aaa_identity is used by an EAP client to verify the identity in the TLS server certificate if it is different from the IKEv2 server certificate.
Regards Andreas On 11.10.2016 13:36, Ravi Kanth Vanapalli wrote: > Adding option (3) here. > > 3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id) > > Which of the following identities (1),2 or 3 is used to fetch the > private key in EAP_TLS authentcation. > > > On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli > <vvnrk.vanapa...@gmail.com <mailto:vvnrk.vanapa...@gmail.com>> wrote: > > Sure Andreas. Thank you for this valuable input. I will give a try. > > Could you please confirm the difference between 1 and 2 below > > 1) auth->add(auth, AUTH_RULE_IDENTITY, id); > 2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id); > > My understanding is that (1) is used to fill the IDi in the first > IKE_AUTH message. > Second one is used for Identitiy verification in EAP methods. eg. > EAP-TLS uses identity added in AUTH_RULE_EAP_IDENTITY for fetching > the private certificate. > (1) and (2) can be different. > > Kindly confirm that my understanding is correct. > > Thanks, > Ravikanth > > On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen > <andreas.stef...@strongswan.org > <mailto:andreas.stef...@strongswan.org>> wrote: > > Hi Ravi, > > why don't you use the eap_identity parameter? > > Regards > > Andreas > > On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote: > > Hi all, > > > > I have a situation wherein I need to alter the IDi slightly > before the > > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH > message > > should be different to IDi to be used for user private key > lookup in the > > EAP-TLS user authentication. > > > > I see that the API 'eap_tls_create_peer' is being used, to > initialize > > the peer identitiy in TLSplugin. > > This is being registered with plugin eap_tls_plugin.c > > > > I am finding it difficult to know which module calls this API > > eap_tls_create_peer to initialize EAP TLS peer identity. > > > > Kindly provide any inputs regarding my issue. > > > > Thank you very much. > > > > -- > > Regards, > > RaviKanth > > ====================================================================== > Andreas Steffen > andreas.stef...@strongswan.org > <mailto:andreas.stef...@strongswan.org> > strongSwan - the Open Source VPN Solution! > www.strongswan.org <http://www.strongswan.org> > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > > > > > -- > Regards, > > RaviKanth VN Vanapalli > Email: vvnrk.vanapa...@gmail.com <mailto:vvnrk.vanapa...@gmail.com> > > > > > -- > Regards, > > RaviKanth VN Vanapalli > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users