On 2017-01-13, Piotr Soróbka <[email protected]> wrote: > Hi, > can openiked send EAP requests to a PAM module or directly to RADIUS server?
In a word: no. OpenBSD doesn't use PAM at all, and the only EAP method implemented in iked is MSCHAPv2 using a local database of passwords (as the server needs access to the plaintext for MSCHAPv2, these must be stored in the clear). It doesn't talk to radius. npppd (used for IKEv1+L2TP) *can* talk to radius for PAP/CHAP, there is also some code in the source tree for EAP but this is hidden behind a #define which is not enabled on OpenBSD, I'm not sure what would be needed in order to use that.
