XAuth EAP Plugin¶
The xauth-eap plugin is an IKEv1 XAuth server backend. It requests username/password XAuth credentials and verifies them against any password based IKEv2 EAP plugin. By default it uses the eap-radius plugin. This enables the client to authenticate against an AAA using EAP, as it is done with IKEv2. The server acts as EAP client to the AAA:
Client <--- IKEv1/Xauth ---> Server <--- RADIUS/EAP ---> AAA
The plugin is disabled by default and can be enabled by adding
--enable-xauth-eapto the ./configure options. You also need EAP modules, a backend and a frontend:
The plugin was introduced in 5.0.0 and is for charon only.
Starting with 5.1.0, the eap-radius has an integrated XAuth backend. This backend can directly verify XAuth credentials using User-Name and User-Password attributes, which is sufficient for most setups. Some installations might still prefer the xauth-eap + eap-radius combination, for example to have a single RADIUS configuration for both IKEv1 and IKEv2, or to add additional protection to passwords between the NAS and the AAA.
The plugin is configured using the following strongswan.conf option:
|charon.plugins.xauth-eap.backend||radius||EAP plugin to use|
You could use any EAP backend, but eap-radius is what this plugin was designed for. The AAA will select the EAP method used for authentication. The server needs support for this EAP method, as it acts as an EAP client on behalf of the IKE client.
To authenticate clients with this backend, set:
rightauth=pubkey rightauth2=xauth-eapfor traditional XAuth. For Hybrid authentication, use
Configure eap-radius (or the configured backend) accordingly.