eap-dynamic Plugin

Purpose

The eap-dynamic plugin for libcharon acts as a proxy that dynamically selects an EAP method that is supported/preferred by the client. If the original EAP method initiated by the plugin is rejected with an EAP-NAK message, it will select a different method that is supported/requested by the client.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-eap-dynamic

You also need to enable actual EAP methods, such as eap-md5, eap-mschapv2 or eap-tls.

Configuration

The eap-dynamic plugin is configured using the following options in the charon.plugins.eap-dynamic section of strongswan.conf:

Key Default Description

Key	Default	Description
prefer_user	`no`	If enabled the order of the EAP methods in an `EAP-NAK` message sent by a client is preferred over the one configured locally
preferred		The preferred EAP method(s) to be used. If not set, the first registered method will be used initially. If a comma separated list is specified, the methods are tried in the given order before trying the rest of the registered methods

prefer_user

no

If enabled the order of the EAP methods in an EAP-NAK message sent by a client is preferred over the one configured locally

preferred

The preferred EAP method(s) to be used. If not set, the first registered method will be used initially. If a comma separated list is specified, the methods are tried in the given order before trying the rest of the registered methods

Client Behavior

Irrespective of whether the plugin is enabled or not, strongSwan will send an EAP-NAK message if the server initiates an EAP method that the client doesn’t support. Clients may also request a specific EAP method by configuring that method with in the swanctl.conf

connections.<conn>.local.auth = eap-<method>

The EAP-NAK will then only contain that method, otherwise all supported methods are included.

Example

Figure 1. strongSwan example showing the use of the eap-dynamic plugin