IKEv2 Certificate + EAP (Username/Password) and freeradius
I try to configure "IKEv2 Certificate + EAP (Username/Password)" in Pfsense. The whole thing should work at the end with FreeRadius or without.
IKEv2 EAP (Username/Password) and IKEv2 EAP-TLS (Certificate) i having done before. Both worked.
Is this possible? I can't figure it out if FreeRadius does support this or not?
Maybe someone out there knows something.
After hours of searching if found an interesting talk:
Matthew Newton -> For client certificates on Windows you have to use EAP-TLS.
User -> I wanted them to have a certificate + username and password, I think I'll have to settle for server certificate + username and password.
Matthew Newton -> quotes: I wanted them to have a certificate + username and password,
Answer: Yes, using both together is not currently possible.
Seems not pretty good but it's from 2017 and they talking not about a user certificate. I'm not sure 100%. Maybe it's supported now?
IKEv2 Certificate + EAP (Username/Password)
IKEv2 Mutual RSA + EAP-MSCHAPv2
so this will not work.
Correct. You can choose from either EAP-TLS which has certificates in both directions (client and server) or EAP-MSCHAPv2/EAP-RADIUS which has user auth + clients validate server certificate. There isn't a way for both to work currently. (And even if strongSwan supported it, I'm not sure any clients do)