eap-dynamic Plugin


The eap-dynamic plugin for libcharon acts as a proxy that dynamically selects an EAP method that is supported/preferred by the client. If the original EAP method initiated by the plugin is rejected with an EAP-NAK message, it will select a different method that is supported/requested by the client.

The plugin is disabled by default and can be enabled with the ./configure option


You also need to enable actual EAP methods, such as eap-md5, eap-mschapv2 or eap-tls.


The eap-dynamic plugin is configured using the following options in the charon.plugins.eap-dynamic section of strongswan.conf:

Key Default Description



If enabled the order of the EAP methods in an EAP-NAK message sent by a client is preferred over the one configured locally


The preferred EAP method(s) to be used. If not set, the first registered method will be used initially. If a comma separated list is specified, the methods are tried in the given order before trying the rest of the registered methods

Client Behavior

Irrespective of whether the plugin is enabled or not, strongSwan will send an EAP-NAK message if the server initiates an EAP method that the client doesn’t support. Clients may also request a specific EAP method by configuring that method with in the swanctl.conf

connections.<conn>.local.auth = eap-<method>

The EAP-NAK will then only contain that method, otherwise all supported methods are included.


Figure 1. strongSwan example showing the use of the eap-dynamic plugin