FreeRADIUS + MacOS + IKEv2
-
Folks.
I've recently been trying to get pfsense 2.4.5-RELEASE to support a Mobile Client IPSEC configuration where IKEv2 is used with RADIUS handling the backend authentication for EAP_MSChapv2. I've got a standalone RADIUS server setup on another host. I can successfully authenticate to it for webGUI login users but despite selecting the RADIUS server from the Mobile Clients | User Authentication list it doesn't seem to want to auth requests from my Mac. EAP_RADIUS doesn't work either. I see no traffic inbound to the RADIUS server from these requests.There are some older posts on this topic but I can't seem to find anything more recent that covers this use case. The clients are MacOS running the built-in VPN client.
[
As a side note, I have a stand alone certificate authority that was issuing server certs for devices like this pfsense box. I found that it is critical for the Mac to see the server cert having the below key usage and EKU setttings. (Not sure Non Repudiation is actually required).X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2
]