ike-auth: Add option to use EAP-only authentication without notify
Some peers apparently don't send the notify and still expect to authenticate with EAP-only authentication. This option allows forcing the configured use of EAP-only authentication in that scenario.
This commit is contained in:
parent
0184a69b7b
commit
066fa42fcb
|
@ -120,6 +120,10 @@ charon.flush_auth_cfg = no
|
||||||
charon.follow_redirects = yes
|
charon.follow_redirects = yes
|
||||||
Whether to follow IKEv2 redirects (RFC 5685).
|
Whether to follow IKEv2 redirects (RFC 5685).
|
||||||
|
|
||||||
|
charon.force_eap_only_authentication = no
|
||||||
|
Violate RFC 5998 and use EAP-only authentication even if the peer did not
|
||||||
|
send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH.
|
||||||
|
|
||||||
charon.fragment_size = 1280
|
charon.fragment_size = 1280
|
||||||
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
|
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
|
||||||
when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
|
when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
|
||||||
|
|
|
@ -1009,11 +1009,21 @@ METHOD(task_t, build_r, status_t,
|
||||||
if (!this->ike_sa->supports_extension(this->ike_sa,
|
if (!this->ike_sa->supports_extension(this->ike_sa,
|
||||||
EXT_EAP_ONLY_AUTHENTICATION))
|
EXT_EAP_ONLY_AUTHENTICATION))
|
||||||
{
|
{
|
||||||
DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
|
if (lib->settings->get_bool(lib->settings,
|
||||||
"does not support it");
|
"%s.force_eap_only_authentication", FALSE, lib->ns))
|
||||||
|
{
|
||||||
|
DBG1(DBG_IKE, "ignore missing %N notify and use EAP-only "
|
||||||
|
"authentication", notify_type_names,
|
||||||
|
EAP_ONLY_AUTHENTICATION);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
DBG1(DBG_IKE, "configured EAP-only authentication, but "
|
||||||
|
"peer does not support it");
|
||||||
goto peer_auth_failed;
|
goto peer_auth_failed;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
/* build authentication data */
|
/* build authentication data */
|
||||||
|
|
Loading…
Reference in New Issue