Thanks Martin your information was very useful. Actually I'm trying to use FreeRadius with Strongswan using EAP-Radius plugin. Do you have any information regarding FreeRadius support of this thing?
On Wed, Jun 24, 2015 at 11:48 AM Martin Willi <[email protected]> wrote: > Hi, > > > Is there any way that i could use user/password inside eap-ttls tunnel? > > windows clients are able to initiate IKE tunnel with eap-ttls and > > user+password as their authentication protocol and I'm trying to use > > Strongswan as my server side. > > strongSwan EAP-TTLS currently does not support tunneling plain PAP/CHAP, > but only other EAP methods. > > > If not, what do you recommend in such a solution that an authentication > > system with user+password is required.(CHAP alone is not secure > > enough). > > Using plain EAP-MSCHAPv2 is usually fine in IKEv2 if you terminate EAP > at the IKE responder. The EAP exchange is protected by IKEv2 using the > responders server certificate. > > If that is insufficient for you, you may EAP-TTLS- or PEAP-tunnel > EAP-MSCHAPv2. That is supported by the Windows client. But from a > security perspective it does not help much if you terminate EAP at the > IKE responder, just complicates things. > > If you terminate EAP at an AAA backend using our eap-radius plugin, you > might want additional security on the gateway->AAA link. Using EAP-TTLS > (with any inner authentication method) may be an option. strongSwan does > not terminate EAP then, and you can use any method that the client and > the AAA supports. > > Regards > Martin > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
