On 21-02-11 19:52, Andreas Steffen wrote: > On 02/21/2011 05:41 PM, Paul Dekkers wrote: >> Hi, >> >> I'd like to verify xauth username/password authentication with a >> database (RADIUS or LDAP or so). So far it seems I can only add these >> credentials in /etc/ipsec.secrets - is that true? (Sounds a little >> inflexible to me ;-)) >> > The XAUTH credential verification is implemented by the xauth plugin > which by default looks up the username/password from ipsec.secrets. > You are free to modify the plugin so that it connects to a RADIUS > or LDAP server. We don't offer this option because our main > development effort is on the new IKEv2 protocol where the eap-md5, > eap-mschapv2 and eap-radius plugins can be readily used to achieve > the same objective.
Hmm, I'm a strong EAP believer, I did notice EAP-support, but I'm afraid the clients I'm after (iPhone, Mac OS X) do neither support IKEv2 nor EAP :-( (I noticed openswan does xauth with PAM, maybe that works for me along with pam_radius, I'd have to take a look.) >> One more question related to ipsec.secrets; it's true I cannot have a >> different shared secret per user, right? It's clearly preferred to use >> certificates for this, but not all clients are capable of it (for >> instance the iPhone can only use a shared secret with L2TP, but is able >> to use a certificate in IPSEC mode (but that uses XAUTH and does again >> not allow my to relay authentication via RADIUS to use tokens or so...)). >> > Due to the properties of the IKEv2 Main Mode protocol it is not > possible to assign individual passwords to users if they initiate their > connection with dynamic IP addresses. Ok, that's what I assumed. Not so bad, but then it means on the iPhone I'm indeed thinking towards (Cisco) IPSEC instead of L2TP (because a shared secret in a large environment wouldn't work well). Unfortunately L2TP worked with RADIUS, and IPSEC/XAUTH doesn't ;-) Anyway, thanks for your replies, Regards, Paul _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
