Project

General

Profile

XAuth EAP Plugin

Purpose

The xauth-eap plugin is an IKEv1 XAuth server backend. It requests username/password XAuth credentials and verifies them against any password based IKEv2 EAP plugin. By default it uses the eap-radius plugin. This enables the client to authenticate against an AAA using EAP, as it is done with IKEv2. The server acts as EAP client to the AAA:

Client <--- IKEv1/Xauth ---> Server <--- RADIUS/EAP ---> AAA

The plugin is disabled by default and can be enabled by adding

--enable-xauth-eap
to the ./configure options. You also need EAP modules, a backend and a frontend:
--enable-eap-radius --enable-eap-mschapv2

The plugin was introduced in 5.0.0 and is for charon only.

Starting with 5.1.0, the eap-radius has an integrated XAuth backend. This backend can directly verify XAuth credentials using User-Name and User-Password attributes, which is sufficient for most setups. Some installations might still prefer the xauth-eap + eap-radius combination, for example to have a single RADIUS configuration for both IKEv1 and IKEv2, or to add additional protection to passwords between the NAS and the AAA.

Configuration

The plugin is configured using the following strongswan.conf option:

Key Default Description
charon.plugins.xauth-eap.backend radius EAP plugin to use

You could use any EAP backend, but eap-radius is what this plugin was designed for. The AAA will select the EAP method used for authentication. The server needs support for this EAP method, as it acts as an EAP client on behalf of the IKE client.

Connections

To authenticate clients with this backend, set:

  rightauth=pubkey
  rightauth2=xauth-eap
for traditional XAuth. For Hybrid authentication, use
  rightauth=xauth-eap

Configure eap-radius (or the configured backend) accordingly.