Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeRADIUS + MacOS + IKEv2

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 265 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ciphergeek
      last edited by

      Folks.
      I've recently been trying to get pfsense 2.4.5-RELEASE to support a Mobile Client IPSEC configuration where IKEv2 is used with RADIUS handling the backend authentication for EAP_MSChapv2. I've got a standalone RADIUS server setup on another host. I can successfully authenticate to it for webGUI login users but despite selecting the RADIUS server from the Mobile Clients | User Authentication list it doesn't seem to want to auth requests from my Mac. EAP_RADIUS doesn't work either. I see no traffic inbound to the RADIUS server from these requests.

      There are some older posts on this topic but I can't seem to find anything more recent that covers this use case. The clients are MacOS running the built-in VPN client.

      [
      As a side note, I have a stand alone certificate authority that was issuing server certs for devices like this pfsense box. I found that it is critical for the Mac to see the server cert having the below key usage and EKU setttings. (Not sure Non Repudiation is actually required).

      X509v3 Key Usage:
      Digital Signature, Non Repudiation, Key Encipherment
      X509v3 Extended Key Usage:
      TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2
      ]

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.