Project

General

Profile

eap-gtc Plugin » History » Version 2

Version 1 (Martin Willi, 15.05.2009 17:26) → Version 2/5 (Tobias Brunner, 18.05.2011 16:45)

h1. EAP-GTC for client authentication

EAP-GTC allows clients to authenticate securely using a username/password scheme. In GTC, the password is transmitted in cleartext to the Gateway after the gateway has been authenticated using certificates. While this sounds insecure, it has some real advantages: You won't need access to clear text credentials on the gateway and can use other authentication services to verify the password.
The EAP-GTC plugin uses any PAM service to verify the received credentials.

h2. Compile with EAP-GTC

Add @--enable-eap-gtc@ --enable-eap-gtc to the configure flags to build with the GTC module, e.g.:
<pre>
./configure --disable-pluto --disable-tools --enable-eap-gtc \
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
make
make install
</pre>

h2. Configuration

By default, the GTC module uses the PAM service _login_ which should be available on most systems. But you may create your own service, e.g in _/etc/pam.d/ipsec_:
<pre>
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
</pre>
To use that service, set the _pam_service_ option in [[strongswanconf|strongswan.conf]]: _/etc/strongswan.org_:
<pre>
charon {
plugins {
eap_gtc {
pam_service = ipsec
}
}
}
</pre>

A gateway configuration in [[IpsecConf|ipsec.conf]] [[IpsecConf|ipsecconf]] might look like this:
<pre>
conn nm-clients
# certificate handed out to client
leftcert=cert.pem
right=%any
# subnet behind gateway to include in tunnel (optional)
rightsubnet=10.1.0.0/16
# IP address pool for clients requesting an virtual IP
rightsourceip=10.1.250.0/24
# handle all clients with this config
rightid=%any
# request GTC as EAP authentication method
eap=gtc
keyexchange=ikev2
auto=add
</pre>