Project

General

Profile

Bug #1182

IKEv2 PSK EAP-MSCHAPv2 BlackBerry 10 - EAP Identity

Added by J G over 3 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Category:
charon
Target version:
Start date:
28.10.2015
Due date:
Estimated time:
Affected version:
5.3.2
Resolution:
Fixed

Description

strongSwan 5.3.2 is installed and running on CentOS6.7.

Users are able to connect fine and traffic flows as expected.

My query or issue is that the same username and password used across two devices (or multiple devices) could get connected as long as the MSCHAPv2 EAP Identity is set differently on each device.

I have not been able to find a way to not allow the same username/password to be used for a second login if the EAP Identity is changed on another device.

Is there anyway I can restrict users to only have a single connection at a time?

Thank you,

John

ipsec.conf

config setup
strictcrlpolicy=no

conn %default
ikelifetime=24h
keylife=24h
keyexchange=ikev2
dpdaction=clear
dpdtimeout=3600s
dpddelay=3600s
compress=yes

conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=5.29.116.20
right=%any
rightsourceip=192.168.2.100/29
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add

ipsec.secrets

: PSK "pskpsk"
user1 : EAP "password1"
user2 : EAP "password2"

strongswan.conf

charon {
threads = 16
dns1 = 8.8.8.8
dns2 = 8.8.4.4
}

pluto {
}

libstrongswan {
}

Associated revisions

Revision d801fedb
Added by Tobias Brunner over 3 years ago

Merge branch 'eap-mschapv2-eap-identity'

This replaces the EAP-Identity with the EAP-MSCHAPv2 username, which
ensures the client is known with an authenticated identity. Previously
a client with a valid username could use a different identity (e.g. the
name of a different user) in the EAP-Identity exchange. Since we use
the EAP-Identity for uniqueness checks etc. this could be problematic.
The EAP-MSCHAPv2 username is now explicitly logged if it is different
from the EAP-Identity (or IKE identity).

Fixes #1182.

History

#1 Updated by Tobias Brunner over 3 years ago

  • Tracker changed from Issue to Bug
  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner
  • Priority changed from Low to Normal
  • Target version set to 5.3.4

My query or issue is that the same username and password used across two devices (or multiple devices) could get connected as long as the MSCHAPv2 EAP Identity is set differently on each device.

Correct, the eap-mschapv2 plugin uses the username only to find a password and do the authentication. It is not compared against the current EAP-Identity (or IKE identity if there was no EAP-Identity exchange) or adopted as EAP-Identity. So the original EAP-Identity will still be used to identity the other peer of the IKE_SA afterwards.

I've pushed a fix for this to the 1182-eap-mschapv2-eap-identity branch. With it the EAP-MSCHAPv2 username replaces the EAP-Identity.

#2 Updated by Tobias Brunner over 3 years ago

  • Status changed from Feedback to Closed
  • Resolution set to Fixed

Also available in: Atom PDF