Project

General

Profile

eap-gtc Plugin » History » Version 3

Version 2 (Tobias Brunner, 18.05.2011 16:45) → Version 3/5 (Martin Willi, 10.08.2012 11:27)

h1. EAP-GTC Plugin for client authentication

h2. Purpose

The _eap-gtc_ plugin is an IKEv2 EAP backend, as in "draft-sheffer-ipsecme-ikev2-gtc":http://tools.ietf.org/html/draft-sheffer-ipsecme-ikev2-gtc-02. It exchanges
EAP-GTC allows clients to authenticate securely using a plain username/password scheme. In GTC, the password is transmitted in cleartext to the secure IKEv2 channel. This password can be verified Gateway after the gateway has been authenticated using any XAuth password backend.

Before [[5.0.1]],
certificates. While this sounds insecure, it has some real advantages: You won't need access to clear text credentials on the plugin verified the credentials directly against PAM. Now it gateway and can use any XAuth backend. By default it uses [[XAuthPAM|xauth-pam]], resembling other authentication services to verify the behavior of 4.x releases.

password.
The EAP-GTC plugin is disabled by default and can be enabled by adding
<pre>--enable-eap-gtc</pre>
uses any PAM service to verify the ./configure options. You also need a XAuth backend received credentials.

h2. Compile with EAP-GTC

Add @--enable-eap-gtc@
to verify the password, such as configure flags to build with the GTC module, e.g.:
<pre>--enable-xauth-pam</pre> <pre>
./configure --disable-pluto --disable-tools --enable-eap-gtc \
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
make
make install
</pre>


h2. Configuration

The plugin is configured using By default, the following [[strongswanConf|strongswan.conf]] option: GTC module uses the PAM service _login_ which should be available on most systems. But you may create your own service, e.g in _/etc/pam.d/ipsec_:
<pre>
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
</pre>
To use that service, set the _pam_service_ option in [[strongswanconf|strongswan.conf]]:
<pre>
charon {
plugins {
eap_gtc {
pam_service = ipsec
}
}
}
</pre>


|Key|Default|Description| A gateway configuration in [[IpsecConf|ipsec.conf]] might look like this:
|charon.plugins.eap-gtc.backend|pam|XAuth backend <pre>
conn nm-clients
# certificate handed out
to use| client
leftcert=cert.pem
right=%any
# subnet behind gateway to include in tunnel (optional)
rightsubnet=10.1.0.0/16
# IP address pool for clients requesting an virtual IP
rightsourceip=10.1.250.0/24
# handle all clients with this config
rightid=%any
# request GTC as EAP authentication method
eap=gtc
keyexchange=ikev2
auto=add
</pre>