ike-auth: Add option to use EAP-only authentication without notify
Some peers apparently don't send the notify and still expect to authenticate with EAP-only authentication. This option allows forcing the configured use of EAP-only authentication in that scenario.
This commit is contained in:
parent
0184a69b7b
commit
066fa42fcb
|
@ -120,6 +120,10 @@ charon.flush_auth_cfg = no
|
|||
charon.follow_redirects = yes
|
||||
Whether to follow IKEv2 redirects (RFC 5685).
|
||||
|
||||
charon.force_eap_only_authentication = no
|
||||
Violate RFC 5998 and use EAP-only authentication even if the peer did not
|
||||
send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH.
|
||||
|
||||
charon.fragment_size = 1280
|
||||
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
|
||||
when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
|
||||
|
|
|
@ -1009,9 +1009,19 @@ METHOD(task_t, build_r, status_t,
|
|||
if (!this->ike_sa->supports_extension(this->ike_sa,
|
||||
EXT_EAP_ONLY_AUTHENTICATION))
|
||||
{
|
||||
DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
|
||||
"does not support it");
|
||||
goto peer_auth_failed;
|
||||
if (lib->settings->get_bool(lib->settings,
|
||||
"%s.force_eap_only_authentication", FALSE, lib->ns))
|
||||
{
|
||||
DBG1(DBG_IKE, "ignore missing %N notify and use EAP-only "
|
||||
"authentication", notify_type_names,
|
||||
EAP_ONLY_AUTHENTICATION);
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_IKE, "configured EAP-only authentication, but "
|
||||
"peer does not support it");
|
||||
goto peer_auth_failed;
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
|
|
Loading…
Reference in New Issue