Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 Certificate + EAP (Username/Password) and freeradius

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 959 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      Alitai
      last edited by Alitai

      Hello Everyone

      I try to configure "IKEv2 Certificate + EAP (Username/Password)" in Pfsense. The whole thing should work at the end with FreeRadius or without.

      IKEv2 EAP (Username/Password) and IKEv2 EAP-TLS (Certificate) i having done before. Both worked.

      IKEv2 Options.png

      Is this possible? I can't figure it out if FreeRadius does support this or not?

      Maybe someone out there knows something.

      Many Thanks

      Best Regards
      Alitai

      1 Reply Last reply Reply Quote 0
      • A Offline
        Alitai
        last edited by Alitai

        After hours of searching if found an interesting talk:
        http://lists.freeradius.org/pipermail/freeradius-users/2017-September/088914.html

        Quote:
        Matthew Newton -> For client certificates on Windows you have to use EAP-TLS.

        User -> I wanted them to have a certificate + username and password, I think I'll have to settle for server certificate + username and password.

        Matthew Newton -> quotes: I wanted them to have a certificate + username and password,
        Answer: Yes, using both together is not currently possible.

        Seems not pretty good but it's from 2017 and they talking not about a user certificate. I'm not sure 100%. Maybe it's supported now?

        Thanks

        Regards
        Alitai

        1 Reply Last reply Reply Quote 0
        • A Offline
          Alitai
          last edited by Alitai

          IKEv2 Certificate + EAP (Username/Password)
          equals
          IKEv2 Mutual RSA + EAP-MSCHAPv2

          so this will not work.

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            Correct. You can choose from either EAP-TLS which has certificates in both directions (client and server) or EAP-MSCHAPv2/EAP-RADIUS which has user auth + clients validate server certificate. There isn't a way for both to work currently. (And even if strongSwan supported it, I'm not sure any clients do)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.