Improvement proposal IPSec IKEv2 - USERS in user manager - save EAP key



  • Hello,

    I have an improvement proposal. When using IPSec with IKEv2 EAP-MSCHAPv2 a user needs a EAP key for authentification.
    In System->User Manager there is only the possibility to save a PSK key that can`t be used with EAP-MSCHAPv2. So in VPN->IPSec->Pre-Shared keys there must be a separate item with an EAP key for already existing users.
    It would be nice if there would be a possibility to save an EAP key, too.

    By the way, I love the new 2.3 pfSense version and it is really a great improvement compared to 2.2.6 version! Great work!


  • Rebel Alliance Developer Netgate

    At least the way things are now, to do EAP, mpd needs access to the cleartext password. We don't save the cleartext password for a user manager entry, and that isn't likely to change.

    Maybe the user manager could grow an option for an EAP key like it has for IPsec PSK, or perhaps a drop-down there, but it wouldn't change how the backend works.

    You could push all that off to a RADIUS server and use EAP-RADIUS if you want better user management.



  • -> jimp

    I didn`t bear in mind that this could be a security issue, thanks.

    But are the EAP keys that are saved in "VPN->IPsec->Pre-Shared Keys" encryted on the disk?

    A radius server is not a option in my case.


  • Rebel Alliance Developer Netgate

    No, they are not encrypted on disk. They're in the clear because they have to be for EAP to work properly with strongSwan (I misspoke and said mpd earlier, not sure where that came from…)

    https://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml


Log in to reply