Project

General

Profile

Feature #2097

Support EAP-TLS in NetworkManager backend

Added by Daniel Stone about 4 years ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Category:
networkmanager (charon-nm)
Target version:
Start date:
30.08.2016
Due date:
Estimated time:
Resolution:
Fixed

Description

Support for EAP-TLS in the NM backend would be very nice, given that it already supports certificate authentication and EAP as well, just not together. This is probably particularly useful since the iOS VPN instructions are all around EAP-TLS, so you can then reuse the same server-side setup for both iOS and UNIX/strongSwan clients.

Associated revisions

Revision 4373a59b
Added by Tobias Brunner 10 months ago

Merge branch 'nm-eap-tls'

Adds support for EAP-TLS to the NM plugin. The certificates/key
source (file, smartcard, agent) can now be selected independently of
the authentication method (i.e. for both certificate and EAP-TLS auth).

Fixes #2097.

History

#1 Updated by Tobias Brunner about 4 years ago

  • Status changed from New to Feedback

You can also use plain public key authentication with iOS clients (at least with custom configuration profiles, not sure about the GUI).

But yeah, it probably wouldn't be too hard to add support for this (with a similar feature set as the Android app).

#2 Updated by Daniel Stone about 4 years ago

Tobias Brunner wrote:

You can also use plain public key authentication with iOS clients (at least with custom configuration profiles, not sure about the GUI).

Yeah, you can't do it through the GUI, which makes it really inconvenient.

#3 Updated by Tobias Brunner about 4 years ago

You can also use plain public key authentication with iOS clients (at least with custom configuration profiles, not sure about the GUI).

Yeah, you can't do it through the GUI, which makes it really inconvenient.

However, you could configure the server so that clients authenticated with either method are accepted, unless you want to terminate EAP-TLS on a separate host via RADIUS.

#4 Updated by Daniel Wilhelm about 4 years ago

Tobias Brunner wrote:

You can also use plain public key authentication with iOS clients (at least with custom configuration profiles, not sure about the GUI).

But yeah, it probably wouldn't be too hard to add support for this (with a similar feature set as the Android app).

Having had a look into the code of the NetworkManager plugin as well as charon-nm itself it seems both components would need an update as the android implementation differs quite a bit. Though I would vote in favour of this feature as I would use it as well.

#5 Updated by Tobias Brunner 10 months ago

  • Target version set to 5.8.3

Changes that implement this are currently in the 2097-nm-eap-tls branch.

#6 Updated by Tobias Brunner 10 months ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to Fixed

Also available in: Atom PDF