eap-dynamic Plugin


The eap-dynamic plugin acts as a proxy that dynamically selects an EAP method that is supported/preferred by the client. If the original EAP method initiated by the plugin is rejected with an EAP-Nak message, it will select a different method that is supported/requested by the client.

The plugin is disabled by default and can be enabled by adding

to the ./configure options. You also need to enable actual EAP methods, such as eap-md5, eap-mschapv2 or eap-tls.

Since 5.0.1.


The plugin is configured using the following strongswan.conf options:

Key Default Description
charon.plugins.eap-dynamic.prefer_user no If enabled, the order of the EAP methods in an EAP-Nak message sent by a client is preferred over the one configured locally.
charon.plugins.eap-dynamic.preferred The preferred EAP method(s) to be used. If it is not set, the first registered method will be used initially. If a comma separated list is specified, the methods are tried in the given order before trying the rest of the registered methods.

Client Behavior

Since 5.0.1, irrespective of whether the plugin is enabled or not, strongSwan will send an EAP-Nak message if the server initiates an EAP method that the client doesn't support. Clients may also request a specific EAP method by configuring that method with leftauth (the EAP-Nak will then only contain that method, otherwise all supported methods are included).