fichtner
commented
1 year ago For reference this was mentioned here just yesterday... https://github.com/opnsense/core/issues/3295#issuecomment-1706853647
Closed Monviech closed 1 year ago
fichtner
commented
1 year ago For reference this was mentioned here just yesterday... https://github.com/opnsense/core/issues/3295#issuecomment-1706853647
AdSchellevis
commented
1 year ago https://github.com/opnsense/core/commit/e6da85918d2a63e35b4e76d6ef0166f7bf3ba872 should do the trick.
Monviech
commented
1 year ago @AdSchellevis I will give feedback tomorrow. Thank you for all your great work!
Monviech
commented
1 year ago I have tested it and it works for locals, but not for remotes.
In /usr/local/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml the eap_id is defined in two sections. The patch added the regex pattern to locals.
<locals>
<eap_id type="TextField">
<Required>N</Required>
<mask>/^([0-9a-zA-Z\.\-,_\:\@\%]){0,1024}$/u</mask>
</eap_id>
</locals><remotes>
<eap_id type="TextField">
<Required>N</Required>
<mask>/^([0-9a-zA-Z\.\-,_\:\@]){0,1024}$/u</mask>
</eap_id>
</remotes>meh, stupid me, missed a spot https://github.com/opnsense/core/commit/2207bd2634643ac77598f25a4175083a12c63b35
Monviech
commented
1 year ago Thank you now it's all good. 👍
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
If you use eap-mschapv2 on the OPNsense side in combination with a Windows VPN as client, Windows expects to be asked for an EAP-Identity exchange. If you don't offer it, the first authentication round will always fail and you have to input your username and password twice each time you connect the client.
For that to be fixed, you have to set the "eap_id = %any" in the remote authentication.
Example:
The parameter can't be set in the OPNsense GUI because there is a text validation error.
Describe the solution you like
I would like the GUI to allow setting "EAP Id" explicitly to "%any". The help text can be adjusted to hint to the use of %any.
Describe alternatives you considered
I don't know of any.
Additional context https://wiki.strongswan.org/issues/1183 https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote "eap_id: Identity to use as peer identity during EAP authentication. If set to %any the EAP-Identity method will be used to ask the client for an EAP identity"