How can I install a certificate on the android device I have an entrust cert on server but it can't validate going to create an openssl cert and install.
-----Original Message----- From: Martin Willi [mailto:[email protected]] Sent: Tuesday, July 01, 2014 9:11 AM To: Mcginniss, David S [NTK] Cc: [email protected]; [email protected] Subject: Re: [strongSwan] Android VPN David, > IKEv2 using PSK and MSCHAPv2 example > > SEgw.xxx.yyy.net FQDN > SEGWID [email protected]<mailto:[email protected]> > SEGW PSK a1b2c3 > > EAP- MSCHAPv2 > AAA User [email protected]<mailto:[email protected]> > AAA Password d3e4f5g6 EAP authentication in conjunction with PSK server authentication can be very problematic, and is therefore not allowed by RFC 5996, and not supported by our Android client. If I understand correctly, you'd like to authenticate a large set of users to a security gateway. Each user authenticates itself using the mentioned AAA credentials. The gateway, on the other hand, uses a single (?) PSK to authenticate itself against all users. The problem is that each client has to know the security gateway PSK to verify it. Having that PSK, it can easily impersonate the gateway against all other users, and collect all the AAA credentials of all users. Something you really should avoid, especially with larger/open user groups. It is therefore recommended to use public key authentication together with EAP. There also is the mutual EAP-only authentication extension [1], which is supported in strongSwan. However, EAP-MSCHAPv2 can not be considered secure, so you can't use it with that extension. Regards Martin [1]http://tools.ietf.org/html/rfc5998 ________________________________ This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
