ike-auth: Add option to use EAP-only authentication without notify

Some peers apparently don't send the notify and still expect to
authenticate with EAP-only authentication.  This option allows forcing
the configured use of EAP-only authentication in that scenario.

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index d9d98ef9c913fee14726a4883e6b9d8b2b70f439..fd2d36a0b7e68361cf7655d8ea00490bbae8cc95 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -120,6 +120,10 @@ charon.flush_auth_cfg = no
 charon.follow_redirects = yes
        Whether to follow IKEv2 redirects (RFC 5685).
 
+charon.force_eap_only_authentication = no
+       Violate RFC 5998 and use EAP-only authentication even if the peer did not
+       send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH.
+
 charon.fragment_size = 1280
        Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
        when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults

diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 6448d8baa9ce165be12491f46dadf80e9aa251a3..54f51d1ebcc66c3307a6b737630364a46a8b4e00 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -1009,9 +1009,19 @@ METHOD(task_t, build_r, status_t,
                        if (!this->ike_sa->supports_extension(this->ike_sa,
                                                                                                  EXT_EAP_ONLY_AUTHENTICATION))
                        {
-                               DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
-                                        "does not support it");
-                               goto peer_auth_failed;
+                               if (lib->settings->get_bool(lib->settings,
+                                                       "%s.force_eap_only_authentication", FALSE, lib->ns))
+                               {
+                                       DBG1(DBG_IKE, "ignore missing %N notify and use EAP-only "
+                                                "authentication", notify_type_names,
+                                                EAP_ONLY_AUTHENTICATION);
+                               }
+                               else
+                               {
+                                       DBG1(DBG_IKE, "configured EAP-only authentication, but "
+                                                "peer does not support it");
+                                       goto peer_auth_failed;
+                               }
                        }
                }
                else