o.k lots of options ... Think I need the charon-nm for our Ubuntu network manager users .. keeps it simple
Think Il'l try patching charon-nm first Thanks A On 1 December 2017 at 14:34, Tobias Brunner <[email protected]> wrote: > Hi Alex, > > > so you're saying that my radius server also needs to have vpn.york.ac.uk > > as a SubjAltName in it as well ? > > Yes, that's one option. Not using the NM plugin is another. With the > config files you can set the AAA identity to vpn.york.ac.uk so it > matches the certificate (or %any so any identity is accepted, the RADIUS > server's certificate just has to be trusted). You can also patch > charon-nm so it sets the AAA identity, or make it even configurable in > the GUI. > > You can also not use EAP-PEAP and just authenticate the clients with > EAP-MSCHAPv2/MD5/GTC directly (and if necessary secure the connection > between VPN and RADIUS server with IPsec). > > Regards, > Tobias >
