IPsec with EAP-RADIUS connects without user/pass
Guessing this is an issue around my understanding rather than a bug, but I wanted to verify.
I set up an IPsec mobile config to test as an alternative to OpenVPN on iOS and MacOS.
pfSense version 2.5.1
I have two working radius servers configured in authentication server.
For IPsec, I'm using
Server DN = FQDN
Peer DC = any
I used Apple Configurator 2 to make a profile. I added the CA cert and a user cert for the same CA.
In configurator, I'm using:
remote identifier = Server's FQDN
my identifier = iOS.mydomain.net
Machine Auth = certificate
Enable EAP = checked
user/pass = both blank, assuming iOS would prompt
Parent and child crypto = matching what's in pfSense
I have successfully deployed the profile to my iOS devices.
The surprising part is that it connects and I'm never asked for a user/pass.
there's no activity on my RADIUS server indicating a query attempt.
I do have other IPsec site-to-site instances, but they use a different CA entirely so I don't think there's a chance I'm somehow matching the wrong instance.
Is this a bug or user issue?
ultimately, I'd love TLS + Radius but I don't see any way to set that up (using both a client cert b/t the client and pfSense and also user/pass)... so I'll settle for RADIUS user/pass if I can get it working. I don't want to deploy if all it takes is a valid copy of the CA cert on devices.
quick update - found the root cause...
I was looking at the wrong radius server's logs...
Apparently because I also have a valid user certificate for the same CA on these iOS devices, they'll use that to successfully authenticate against my Freeradius3 install through eap-tls rather than user/pass. Going to have to make some chances there...
I'm still surprised that I never get prompted for a user/pass either when the profile is installed or it tries to authenticate the first time through EAP-RADIUS