IKEv2 Certificate + EAP (Username/Password) and freeradius



  • Hello Everyone

    I try to configure "IKEv2 Certificate + EAP (Username/Password)" in Pfsense. The whole thing should work at the end with FreeRadius or without.

    IKEv2 EAP (Username/Password) and IKEv2 EAP-TLS (Certificate) i having done before. Both worked.

    IKEv2 Options.png

    Is this possible? I can't figure it out if FreeRadius does support this or not?

    Maybe someone out there knows something.

    Many Thanks

    Best Regards
    Alitai



  • After hours of searching if found an interesting talk:
    http://lists.freeradius.org/pipermail/freeradius-users/2017-September/088914.html

    Quote:
    Matthew Newton -> For client certificates on Windows you have to use EAP-TLS.

    User -> I wanted them to have a certificate + username and password, I think I'll have to settle for server certificate + username and password.

    Matthew Newton -> quotes: I wanted them to have a certificate + username and password,
    Answer: Yes, using both together is not currently possible.

    Seems not pretty good but it's from 2017 and they talking not about a user certificate. I'm not sure 100%. Maybe it's supported now?

    Thanks

    Regards
    Alitai



  • IKEv2 Certificate + EAP (Username/Password)
    equals
    IKEv2 Mutual RSA + EAP-MSCHAPv2

    so this will not work.


  • Rebel Alliance Developer Netgate

    Correct. You can choose from either EAP-TLS which has certificates in both directions (client and server) or EAP-MSCHAPv2/EAP-RADIUS which has user auth + clients validate server certificate. There isn't a way for both to work currently. (And even if strongSwan supported it, I'm not sure any clients do)


Log in to reply