Hi, > Is there any way that i could use user/password inside eap-ttls tunnel? > windows clients are able to initiate IKE tunnel with eap-ttls and > user+password as their authentication protocol and I'm trying to use > Strongswan as my server side.
strongSwan EAP-TTLS currently does not support tunneling plain PAP/CHAP, but only other EAP methods. > If not, what do you recommend in such a solution that an authentication > system with user+password is required.(CHAP alone is not secure > enough). Using plain EAP-MSCHAPv2 is usually fine in IKEv2 if you terminate EAP at the IKE responder. The EAP exchange is protected by IKEv2 using the responders server certificate. If that is insufficient for you, you may EAP-TTLS- or PEAP-tunnel EAP-MSCHAPv2. That is supported by the Windows client. But from a security perspective it does not help much if you terminate EAP at the IKE responder, just complicates things. If you terminate EAP at an AAA backend using our eap-radius plugin, you might want additional security on the gateway->AAA link. Using EAP-TTLS (with any inner authentication method) may be an option. strongSwan does not terminate EAP then, and you can use any method that the client and the AAA supports. Regards Martin _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users