The eap-dynamic plugin acts as a proxy that dynamically selects an EAP method that is supported/preferred by the client. If the original EAP method initiated by the plugin is rejected with an EAP-Nak message, it will select a different method that is supported/requested by the client.
The plugin is disabled by default and can be enabled by adding
--enable-eap-dynamicto the ./configure options. You also need to enable actual EAP methods, such as eap-md5, eap-mschapv2 or eap-tls.
The plugin is configured using the following strongswan.conf options:
|charon.plugins.eap-dynamic.prefer_user||no||If enabled, the order of the EAP methods in an EAP-Nak message sent by a client is preferred over the one configured locally.|
|charon.plugins.eap-dynamic.preferred||The preferred EAP method(s) to be used. If it is not set, the first registered method will be used initially. If a comma separated list is specified, the methods are tried in the given order before trying the rest of the registered methods.|
Since 5.0.1, irrespective of whether the plugin is enabled or not, strongSwan will send an EAP-Nak message if the server initiates an EAP method that the client doesn't support. Clients may also request a specific EAP method by configuring that method with leftauth (the EAP-Nak will then only contain that method, otherwise all supported methods are included).