ike-auth: Add option to use EAP-only authentication without notify
authorTobias Brunner <tobias@strongswan.org>
Tue, 7 Apr 2020 16:49:00 +0000 (18:49 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 7 May 2020 13:05:55 +0000 (15:05 +0200)
Some peers apparently don't send the notify and still expect to
authenticate with EAP-only authentication.  This option allows forcing
the configured use of EAP-only authentication in that scenario.

conf/options/charon.opt
src/libcharon/sa/ikev2/tasks/ike_auth.c

index d9d98ef..fd2d36a 100644 (file)
@@ -120,6 +120,10 @@ charon.flush_auth_cfg = no
 charon.follow_redirects = yes
        Whether to follow IKEv2 redirects (RFC 5685).
 
+charon.force_eap_only_authentication = no
+       Violate RFC 5998 and use EAP-only authentication even if the peer did not
+       send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH.
+
 charon.fragment_size = 1280
        Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
        when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
index 6448d8b..54f51d1 100644 (file)
@@ -1009,9 +1009,19 @@ METHOD(task_t, build_r, status_t,
                        if (!this->ike_sa->supports_extension(this->ike_sa,
                                                                                                  EXT_EAP_ONLY_AUTHENTICATION))
                        {
-                               DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
-                                        "does not support it");
-                               goto peer_auth_failed;
+                               if (lib->settings->get_bool(lib->settings,
+                                                       "%s.force_eap_only_authentication", FALSE, lib->ns))
+                               {
+                                       DBG1(DBG_IKE, "ignore missing %N notify and use EAP-only "
+                                                "authentication", notify_type_names,
+                                                EAP_ONLY_AUTHENTICATION);
+                               }
+                               else
+                               {
+                                       DBG1(DBG_IKE, "configured EAP-only authentication, but "
+                                                "peer does not support it");
+                                       goto peer_auth_failed;
+                               }
                        }
                }
                else