Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec with EAP-RADIUS connects without user/pass

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 333 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SpaceBass
      last edited by

      hey folks
      Guessing this is an issue around my understanding rather than a bug, but I wanted to verify.

      I set up an IPsec mobile config to test as an alternative to OpenVPN on iOS and MacOS.

      pfSense version 2.5.1

      I have two working radius servers configured in authentication server.

      For IPsec, I'm using
      IKEv2
      Server DN = FQDN
      Peer DC = any
      EAP-Radius
      AES-CGM
      MOBIKE

      I used Apple Configurator 2 to make a profile. I added the CA cert and a user cert for the same CA.

      In configurator, I'm using:
      IKEv2
      remote identifier = Server's FQDN
      my identifier = iOS.mydomain.net
      Machine Auth = certificate
      Enable EAP = checked
      user/pass = both blank, assuming iOS would prompt
      Parent and child crypto = matching what's in pfSense

      I have successfully deployed the profile to my iOS devices.

      The surprising part is that it connects and I'm never asked for a user/pass.

      there's no activity on my RADIUS server indicating a query attempt.

      I do have other IPsec site-to-site instances, but they use a different CA entirely so I don't think there's a chance I'm somehow matching the wrong instance.

      Is this a bug or user issue?

      ultimately, I'd love TLS + Radius but I don't see any way to set that up (using both a client cert b/t the client and pfSense and also user/pass)... so I'll settle for RADIUS user/pass if I can get it working. I don't want to deploy if all it takes is a valid copy of the CA cert on devices.

      1 Reply Last reply Reply Quote 0
      • S
        SpaceBass
        last edited by SpaceBass

        quick update - found the root cause...

        I was looking at the wrong radius server's logs...
        Apparently because I also have a valid user certificate for the same CA on these iOS devices, they'll use that to successfully authenticate against my Freeradius3 install through eap-tls rather than user/pass. Going to have to make some chances there...

        I'm still surprised that I never get prompted for a user/pass either when the profile is installed or it tries to authenticate the first time through EAP-RADIUS

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.