ext-auth Plugin¶
Purpose¶
The ext-auth plugin invokes an external script to implement custom authorization rules.
The plugin is disabled by default and can be enabled by adding
--enable-ext-authto the ./configure options.
Implementation¶
If the plugin is configured, it invokes the command under a shell and evaluates the return value. If the command exits cleanly with an exit code of 0, authorization is granted. Otherwise IKE_SA authorization is rejected, usually resulting in an AUTH_FAILED notification.
The configured command is invoked under a shell (sh -c) with the following environment variables set:
| Variable | Description |
| IKE_UNIQUE_ID | The IKE_SA numerical unique identifier |
| IKE_NAME | The peer configuration connection name |
| IKE_LOCAL_HOST | Local IKE IP address |
| IKE_REMOTE_HOST | Remote IKE IP address |
| IKE_LOCAL_ID | Local IKE identity |
| IKE_REMOTE_ID | Remote IKE identity |
| IKE_REMOTE_EAP_ID | Remote EAP or XAuth identity, if used |
Configuration¶
The plugin is configured using the following strongswan.conf options:
| Key | Default | Description |
| charon.plugins.ext-auth.script | NULL | Script or command to execute |