Project

General

Profile

eap-gtc Plugin » History » Version 4

Tobias Brunner, 19.09.2017 15:47
Incorporate some stuff from the other eap-gtc page

1 3 Martin Willi
h1. EAP-GTC Plugin
2 1 Martin Willi
3 3 Martin Willi
h2. Purpose
4 1 Martin Willi
5 4 Tobias Brunner
The _eap-gtc_ plugin is an IKEv2 EAP backend, as specified in "draft-sheffer-ipsecme-ikev2-gtc":http://tools.ietf.org/html/draft-sheffer-ipsecme-ikev2-gtc. It exchanges a plaintext password in the secure IKEv2 channel and only after verifying the server's identity. This password can be verified using any XAuth password backend.
6 1 Martin Willi
7 4 Tobias Brunner
Before version:5.0.1, the plugin verified the credentials directly against PAM. Now it can use any XAuth backend. By default it uses [[XAuthPAM|xauth-pam]], resembling the behavior of 4.x releases.
8 1 Martin Willi
9 3 Martin Willi
The plugin is disabled by default and can be enabled by adding
10 3 Martin Willi
<pre>--enable-eap-gtc</pre> to the ./configure options. You also need a XAuth backend to verify the password, such as
11 3 Martin Willi
<pre>--enable-xauth-pam</pre>
12 3 Martin Willi
13 4 Tobias Brunner
h2. Server Configuration
14 1 Martin Willi
15 4 Tobias Brunner
Beginning with version:5.0.1 any XAuth backend may be used to verify the credentials provided by the client. Combined with the [[XAuthPAM|xauth-pam]] plugin the module's previous behavior is preserved. Using the _xauth-generic_ plugin as backend instead allows one to verify the credentials against XAUTH and EAP secrets defined in [[ipsec.secrets]] or [[swanctl.conf#secrets-section]] (or provided by any other credential set).
16 1 Martin Willi
17 4 Tobias Brunner
The plugin is configured using the following [[strongswan.conf]] option:
18 4 Tobias Brunner
19 1 Martin Willi
|Key|Default|Description|
20 1 Martin Willi
|charon.plugins.eap-gtc.backend|pam|XAuth backend to use|
21 4 Tobias Brunner
22 4 Tobias Brunner
h2. Client Configuration
23 4 Tobias Brunner
24 4 Tobias Brunner
The client implementation of this module directly fetches shared secrets from the credential manager. Use _eap_ or _eap-gtc_ as authentication method and make sure the appropriate EAP or XAUTH secret is available through the credential manager (e.g. via [[ipsec.secrets]] or [[swanctl.conf#secrets-section]]).