Project

General

Profile

eap-gtc Plugin » History » Version 2

Tobias Brunner, 18.05.2011 16:45

1 1 Martin Willi
h1. EAP-GTC for client authentication
2 1 Martin Willi
3 1 Martin Willi
EAP-GTC allows clients to authenticate securely using a username/password scheme. In GTC, the password is transmitted in cleartext to the Gateway after the gateway has been authenticated using certificates. While this sounds insecure, it has some real advantages: You won't need access to clear text credentials on the gateway and can use other authentication services to verify the password.
4 1 Martin Willi
The EAP-GTC plugin uses any PAM service to verify the received credentials.
5 1 Martin Willi
6 1 Martin Willi
h2. Compile with EAP-GTC
7 1 Martin Willi
8 2 Tobias Brunner
Add @--enable-eap-gtc@ to the configure flags to build with the GTC module, e.g.:
9 1 Martin Willi
<pre>
10 1 Martin Willi
./configure --disable-pluto --disable-tools --enable-eap-gtc \
11 1 Martin Willi
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
12 1 Martin Willi
make
13 1 Martin Willi
make install
14 1 Martin Willi
</pre>
15 1 Martin Willi
16 1 Martin Willi
h2. Configuration
17 1 Martin Willi
18 1 Martin Willi
By default, the GTC module uses the PAM service _login_ which should be available on most systems. But you may create your own service, e.g in _/etc/pam.d/ipsec_:
19 1 Martin Willi
<pre>
20 1 Martin Willi
#%PAM-1.0
21 1 Martin Willi
auth        required      /lib/security/pam_env.so
22 1 Martin Willi
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
23 1 Martin Willi
auth        required      /lib/security/pam_deny.so
24 1 Martin Willi
</pre>
25 2 Tobias Brunner
To use that service, set the _pam_service_ option in [[strongswanconf|strongswan.conf]]:
26 1 Martin Willi
<pre>
27 1 Martin Willi
charon {
28 1 Martin Willi
  plugins {
29 1 Martin Willi
    eap_gtc {
30 1 Martin Willi
      pam_service = ipsec
31 1 Martin Willi
    }
32 1 Martin Willi
  }
33 1 Martin Willi
}
34 1 Martin Willi
</pre>
35 1 Martin Willi
36 2 Tobias Brunner
A gateway configuration in [[IpsecConf|ipsec.conf]] might look like this:
37 1 Martin Willi
<pre>
38 1 Martin Willi
conn nm-clients
39 1 Martin Willi
  # certificate handed out to client
40 1 Martin Willi
  leftcert=cert.pem
41 1 Martin Willi
  right=%any
42 1 Martin Willi
  # subnet behind gateway to include in tunnel (optional)
43 1 Martin Willi
  rightsubnet=10.1.0.0/16
44 1 Martin Willi
  # IP address pool for clients requesting an virtual IP
45 1 Martin Willi
  rightsourceip=10.1.250.0/24
46 1 Martin Willi
  # handle all clients with this config
47 1 Martin Willi
  rightid=%any
48 1 Martin Willi
  # request GTC as EAP authentication method
49 1 Martin Willi
  eap=gtc
50 1 Martin Willi
  keyexchange=ikev2
51 1 Martin Willi
  auto=add
52 1 Martin Willi
</pre>