On 02/21/2011 05:41 PM, Paul Dekkers wrote: > Hi, > > I'd like to verify xauth username/password authentication with a > database (RADIUS or LDAP or so). So far it seems I can only add these > credentials in /etc/ipsec.secrets - is that true? (Sounds a little > inflexible to me ;-)) > The XAUTH credential verification is implemented by the xauth plugin which by default looks up the username/password from ipsec.secrets. You are free to modify the plugin so that it connects to a RADIUS or LDAP server. We don't offer this option because our main development effort is on the new IKEv2 protocol where the eap-md5, eap-mschapv2 and eap-radius plugins can be readily used to achieve the same objective.
> One more question related to ipsec.secrets; it's true I cannot have a > different shared secret per user, right? It's clearly preferred to use > certificates for this, but not all clients are capable of it (for > instance the iPhone can only use a shared secret with L2TP, but is able > to use a certificate in IPSEC mode (but that uses XAUTH and does again > not allow my to relay authentication via RADIUS to use tokens or so...)). > Due to the properties of the IKEv2 Main Mode protocol it is not possible to assign individual passwords to users if they initiate their connection with dynamic IP addresses. > Regards, > Paul Regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
