Dave, Kindly asking to keep the discussion on the list, thanks.
> I am trying to load an internal CA cert to use x.509 for the client I > will need to use the mutual authentication MSCHAPv2 as well it's a > requirement for corporate security. While EAP-MSCHAPv2 provides mutual authentication, it is not considered secure, hence certificate authentication is used in IKEv2 to authenticate the gateway before starting the EAP exchange. > Each user has a user ID and PSK as well and then each has IMS > credentials No PSK is required if you use certificate authentication of the gateway before starting EAP-MSCHAPv2. If you have unique and strong PSKs for each user, using PSK instead of certificate server authentication is possible. Handling a large set of PSK is cumbersome, forcing strong PSKs difficult. Certificate authentication is superior, and therefore the currently supported option in the Android client. > Do I have to make configuration changes to use the MSK in EAP-MSCHAPv2? EAP-MSCHAPv2 generates an MSK, and that is used in IKEv2 to generate the AUTH payloads. Refer to RFC5996 for details. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
