Use the AAA Identity for EAP authentication, if given

2 files changed, 14 insertions, 1 deletions

diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c
index 0a2cb658c..8b22fd1d7 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/authenticators/eap_authenticator.c
@@ -99,22 +99,30 @@ struct private_eap_authenticator_t {
 static eap_method_t *load_method(private_eap_authenticator_t *this,
 							eap_type_t type, u_int32_t vendor, eap_role_t role)
 {
-	identification_t *server, *peer;
+	identification_t *server, *peer, *aaa;
+	auth_cfg_t *auth;
 
 	if (role == EAP_SERVER)
 	{
 		server = this->ike_sa->get_my_id(this->ike_sa);
 		peer = this->ike_sa->get_other_id(this->ike_sa);
+		auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 	}
 	else
 	{
 		server = this->ike_sa->get_other_id(this->ike_sa);
 		peer = this->ike_sa->get_my_id(this->ike_sa);
+		auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
 	}
 	if (this->eap_identity)
 	{
 		peer = this->eap_identity;
 	}
+	aaa = auth->get(auth, AUTH_RULE_AAA_IDENTITY);
+	if (aaa)
+	{
+		server = aaa;
+	}
 	return charon->eap->create_instance(charon->eap, type, vendor,
 										role, server, peer);
 }
diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
index 95f87eb0d..32a311845 100644
--- a/src/libcharon/sa/tasks/ike_auth.c
+++ b/src/libcharon/sa/tasks/ike_auth.c
@@ -537,6 +537,11 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 			{
 				cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
 			}
+			id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
+			if (id)
+			{
+				cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
+			}
 		}
 
 		/* verify authentication data */