Skip to content

strongswan: Add support for EAP-TLS authentication #27735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

strongswan: Add support for EAP-TLS authentication #27735

wants to merge 2 commits into from

Conversation

@ttyridal
Copy link

Support for configuring EAP-TLS authentication scheme is added.
Required for certificate authenticated road warriors on clients that don't support pubkey (Windows, MacOS, probably more)

Maintainer: @pprindeville
Runtested: 24.10.2

@ttyridal
strongswan: Add support for EAP-TLS authentication
a48de6a 
Support for configuring EAP-TLS authentication scheme is added.

Similar to EAP-MSCHAPv2, this one is usually asymmetric 
in the way that server auth method (pubkey) is different from 
the client auth method (eap-tls).
The code handles this asymmetry automatically.

Signed-off-by: Torbjørn Tyridal <[email protected]>

Signed-off-by: Torbjorn Tyridal <[email protected]>
pprindeville
pprindeville requested changes Nov 1, 2025
View reviewed changes
Copy link
Member

@pprindeville pprindeville left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs PKG_RELEASE bump.

net/strongswan/files/swanctl.init Outdated

local local_auth_method="$auth_method"
[ "$auth_method" = "eap-mschapv2" ] && local_auth_method="pubkey"
[ "$auth_method" = "eap-tls" ] && local_auth_method="pubkey"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please combine these lines.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

like this?
[ "$auth_method" = "eap-mschapv2" ] || [ "$auth_method" = "eap-tls" ] && local_auth_method="pubkey"

starting to look like a code-smell, if you ask me - but I'm not that used to bash coding.🙈

net/strongswan/files/swanctl.init Outdated
[ -n "$remote_identifier" ] && swanctl_xappend3 "id = \"$remote_identifier\""
[ -n "$remote_ca_certs" ] && swanctl_xappend3 "cacerts = \"$remote_ca_certs\""
[ "$auth_method" = eap-mschapv2 ] && swanctl_xappend3 "eap_id = $eap_id"
[ "$auth_method" = eap-tls ] && swanctl_xappend3 "eap_id = $eap_id"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same

@ttyridal
Combine eap test to single line
ce53d92 
Signed-off-by: Torbjorn Tyridal <[email protected]>
@ttyridal ttyridal requested a review from pprindeville November 2, 2025 21:04
GeorgeSapkin
GeorgeSapkin requested changes Nov 3, 2025
View reviewed changes
Copy link
Member

@GeorgeSapkin GeorgeSapkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need squash your commits. Use your real email (and not the GitHub noreply) in the signoff. And bump i.e. increase PKG_RELEASE in the Makefile as already mentioned.

net/strongswan/files/swanctl.init
[ -n "$remote_identifier" ] && swanctl_xappend3 "id = \"$remote_identifier\""
[ -n "$remote_ca_certs" ] && swanctl_xappend3 "cacerts = \"$remote_ca_certs\""
[ "$auth_method" = eap-mschapv2 ] && swanctl_xappend3 "eap_id = $eap_id"
[ "$auth_method" = "eap-mschapv2" ] || [ "$auth_method" = "eap-tls" ] && swanctl_xappend3 "eap_id = $eap_id"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although AFAICT this is correct, there are a few alternatives to make this less ambiguous:

Suggested change
[ "$auth_method" = "eap-mschapv2" ] || [ "$auth_method" = "eap-tls" ] && swanctl_xappend3 "eap_id = $eap_id"
if [ "$auth_method" = "eap-mschapv2" ] || [ "$auth_method" = "eap-tls" ]; then
swanctl_xappend3 "eap_id = $eap_id"
fi

or:

Suggested change
[ "$auth_method" = "eap-mschapv2" ] || [ "$auth_method" = "eap-tls" ] && swanctl_xappend3 "eap_id = $eap_id"
case "$auth_method" in
eap-mschapv2 | eap-tls)
swanctl_xappend3 "eap_id = $eap_id"
;;
esac

or:

Suggested change
[ "$auth_method" = "eap-mschapv2" ] || [ "$auth_method" = "eap-tls" ] && swanctl_xappend3 "eap_id = $eap_id"
[[ "$auth_method" = "eap-mschapv2" || "$auth_method" = "eap-tls" ]] && swanctl_xappend3 "eap_id = $eap_id"

This applies to the other case as well.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I don't think ash/Busybox supports [[ but I could be wrong... Try it. Otherwise use { ... } for grouping like:

{ [ "$auth_method" = "eap-mschapv2" ] || [ "$auth_method" = "eap-tls" ] } && swanctl_xappend3 "eap_id = $eap_id"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GeorgeSapkin GeorgeSapkin GeorgeSapkin requested changes

@pprindeville pprindeville Awaiting requested review from pprindeville

Assignees

No one assigned

Labels

enhancement needs work not following guidelines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ttyridal @pprindeville @GeorgeSapkin