IKEv2 Certificate + EAP (Username/Password) and freeradius
-
Hello Everyone
I try to configure "IKEv2 Certificate + EAP (Username/Password)" in Pfsense. The whole thing should work at the end with FreeRadius or without.
IKEv2 EAP (Username/Password) and IKEv2 EAP-TLS (Certificate) i having done before. Both worked.
Is this possible? I can't figure it out if FreeRadius does support this or not?
Maybe someone out there knows something.
Many Thanks
Best Regards
Alitai -
After hours of searching if found an interesting talk:
http://lists.freeradius.org/pipermail/freeradius-users/2017-September/088914.htmlQuote:
Matthew Newton -> For client certificates on Windows you have to use EAP-TLS.User -> I wanted them to have a certificate + username and password, I think I'll have to settle for server certificate + username and password.
Matthew Newton -> quotes: I wanted them to have a certificate + username and password,
Answer: Yes, using both together is not currently possible.Seems not pretty good but it's from 2017 and they talking not about a user certificate. I'm not sure 100%. Maybe it's supported now?
Thanks
Regards
Alitai -
IKEv2 Certificate + EAP (Username/Password)
equals
IKEv2 Mutual RSA + EAP-MSCHAPv2so this will not work.
-
Correct. You can choose from either EAP-TLS which has certificates in both directions (client and server) or EAP-MSCHAPv2/EAP-RADIUS which has user auth + clients validate server certificate. There isn't a way for both to work currently. (And even if strongSwan supported it, I'm not sure any clients do)
