Hi Richard, > Is there a EAP or similar mechanism that can be used to offload RSAsig > authentication to a AAA server?
If you want to use RSA EAP-TLS might be an option in combination with the EAP-RADIUS plugin on the gateway (see [1] for an example) to offload it to an AAA server. EAP methods that use username/password authentication might also be an option (or a combination of both with EAP-TTLS or EAP-PEAP). It probably depends on what your clients can actually use. > Would one of the DB back-ends be faster? Not at the moment as the SQL query there is too simple (it does not filter by identities, just enumerates all peer configs). There is a TODO in the code there, though, so I'm not sure why it was not yet implemented with a proper WHERE clause. > I'm aiming for 20,000 tunnels and 50 auth per sec (peak) on a gateway. Keeping the config simple in this case would help anyway. And the simplest is certainly to sign all client certificates by a common CA (or intermediate CA). What's the reason you don't want to do this? Regards, Tobias [1] http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tls-radius/ _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
