Project

General

Profile

eap-gtc Plugin » History » Version 4

Version 3 (Martin Willi, 10.08.2012 11:27) → Version 4/5 (Tobias Brunner, 19.09.2017 15:47)

h1. EAP-GTC Plugin

h2. Purpose

The _eap-gtc_ plugin is an IKEv2 EAP backend, as specified in "draft-sheffer-ipsecme-ikev2-gtc":http://tools.ietf.org/html/draft-sheffer-ipsecme-ikev2-gtc. "draft-sheffer-ipsecme-ikev2-gtc":http://tools.ietf.org/html/draft-sheffer-ipsecme-ikev2-gtc-02. It exchanges a plaintext plain password in the secure IKEv2 channel and only after verifying the server's identity. channel. This password can be verified using any XAuth password backend.

Before version:5.0.1, [[5.0.1]], the plugin verified the credentials directly against PAM. Now it can use any XAuth backend. By default it uses [[XAuthPAM|xauth-pam]], resembling the behavior of 4.x releases.

The plugin is disabled by default and can be enabled by adding
<pre>--enable-eap-gtc</pre> to the ./configure options. You also need a XAuth backend to verify the password, such as
<pre>--enable-xauth-pam</pre>

h2. Server Configuration

Beginning with version:5.0.1 any XAuth backend may be used to verify the credentials provided by the client. Combined with the [[XAuthPAM|xauth-pam]] plugin the module's previous behavior is preserved. Using the _xauth-generic_ plugin as backend instead allows one to verify the credentials against XAUTH and EAP secrets defined in [[ipsec.secrets]] or [[swanctl.conf#secrets-section]] (or provided by any other credential set).

The plugin is configured using the following [[strongswan.conf]] [[strongswanConf|strongswan.conf]] option:

|Key|Default|Description|
|charon.plugins.eap-gtc.backend|pam|XAuth backend to use|

h2. Client Configuration

The client implementation of this module directly fetches shared secrets from the credential manager. Use _eap_ or _eap-gtc_ as authentication method and make sure the appropriate EAP or XAUTH secret is available through the credential manager (e.g. via [[ipsec.secrets]] or [[swanctl.conf#secrets-section]]).