Hello, Tobias.
Thank you for response.
As an example, on Cisco router I would create 2 access groups and have 2
profiles on Cisco VPN client: one for local auth, one for RADIUS.
And how/when does it switch between the two?
In Cisco VPN client access group name is specified in profile settings
and this name is sent to VPN server during connection. User selects
specific profile to connect to VPN server.
For different access groups there are separate sections in config on VPN
server, so one can specify different auth methods.
Any thoughts? Technical support clients are mostly Windows built-in VPN.
That's bad, because that client neither sends a remote identity (IDr is
never sent), nor any useful client identity (IDi, which just contained
the private IP address at one time when EAP was used, but that might
depend on the Windows version). So with such clients your options are
limited, I'm afraid (using machine certificates, i.e. not EAP-TLS, would
work though).
Ok, I think I may try machine certificates.
--
Best regards,
Dmitry Soloshenko
