or I could install freeradius on the strongswan server and let it handle the eap side of things and then there is a virtual server that proxies off the inner tunnel stuff to another server for authentication. That way the radius server uses the strongswan server cert so we don't have this problem.
Would be better than changing code and sswan config still uses eap-radius but points to itself A On 1 December 2017 at 15:21, Alex Sharaz <[email protected]> wrote: > o.k lots of options ... > Think I need the charon-nm for our Ubuntu network manager users .. keeps > it simple > > Think Il'l try patching charon-nm first > Thanks > A > > On 1 December 2017 at 14:34, Tobias Brunner <[email protected]> wrote: > >> Hi Alex, >> >> > so you're saying that my radius server also needs to have >> vpn.york.ac.uk >> > as a SubjAltName in it as well ? >> >> Yes, that's one option. Not using the NM plugin is another. With the >> config files you can set the AAA identity to vpn.york.ac.uk so it >> matches the certificate (or %any so any identity is accepted, the RADIUS >> server's certificate just has to be trusted). You can also patch >> charon-nm so it sets the AAA identity, or make it even configurable in >> the GUI. >> >> You can also not use EAP-PEAP and just authenticate the clients with >> EAP-MSCHAPv2/MD5/GTC directly (and if necessary secure the connection >> between VPN and RADIUS server with IPsec). >> >> Regards, >> Tobias >> > >
