Stefan Winter wrote:
Ah, I found something about that. strongswan forwards the EAP message in RADIUS, and both of EAP-Resp/Identity and consequently User-Name are set to the *IP address* of the connecting client (the non-tunnel one). This looks like
rad_recv: Access-Request packet from host 158.64.1.13 port 33044, id=199, length=97 User-Name = " \001\n\030\000\000\004\003aW\025����\353" EAP-Message = 0x020000150120010a1800000403615715fda1b3aeeb
when the client's public IP address is 2001:0a18:0000:0403:...
That is an absolutely horrible thing to do. They should fix that ASAP.
We're still tryinto stop that from happening. Either it's windows which thinks it has to identify itself with its IP address (even though we're PEAPing here, and "Enable identity privacy" is set - so it is explicitly told to use that string to authenticate), or it's strongswan making this up by itself.
Anyway, not a FreeRADIUS problem.
I've had conversations with the Strongswan people, and met them in person. So if you have issues, CC me in email... Alan DeKok.