new eap method: eap-ikev2
Hello all, We're currently working on new eap method for freeradius and wpa_supplicant: eap-ikev2 (http://tools.ietf.org/wg/eap/draft- tschofenig-eap-ikev2-07.txt). Method is able: mutual uthentication (certificate or shared secret based), cryptographic suit negotiation, fast rekeying (fast reconnect), channel binding and so on. We currently have some working implementation but without fast rekeying, channel binding and some other minor things. I would to ask You for some help. Some thing regarding freeradius are unclear to us. First, we can't find any kind of fast rekeying code in reeradius. Is freeradius supporting anyhow such thing? Any other eap method is using fast rekeying? eap-ikev2 is using it's own id data to identify supplicant and sever, it can be different than eap id. And we have a problem with users authorization, in a situation when eap id is different than internal ikev2 id, freeradius is giving access to user data (gathered in users.conf) only for users described by an eap id. Can eap method somehow access other users data? I would appreciate any help. Regards, Rafal Mijal ---------------------------------------------------- Wybierz Książkę Roku, wygraj nagrody! http://klik.wp.pl/?adr=http%3A%2F%2Fadv.reklama.wp.pl%2Fas%2Fksiazka_roku.ht...
"sdfsdv sdfdsf" <dr_ojboli@wp.pl> wrote:
First, we can't find any kind of fast rekeying code in reeradius. Is freeradius supporting anyhow such thing? Any other eap method is using fast rekeying?
It's not implemented in the server.
eap-ikev2 is using it's own id data to identify supplicant and sever, it can be different than eap id.
Please be specific. There EAP protocol Id's, which are 8-bit numbers. Then there is the EAP-Identity. Which one do you mean?
And we have a problem with users authorization, in a situation when eap id is different than internal ikev2 id, freeradius is giving access to user data (gathered in users.conf) only for users described by an eap id. Can eap method somehow access other users data?
I *think* what you mean is that the EAP-Identity is not the same as the User-Name. Since FreeRADIUS is first a RADIUS server, it presumes that the users identity is in the User-Name attribute. You can change that in your module, if you want. Alan DeKok.
participants (2)
-
Alan DeKok -
sdfsdv sdfdsf