On 2024/01/26 13:40, Kapetanakis Giannis wrote:
> On 25/01/2024 11:50, YASUOKA Masahiko wrote:
> > Hello,
> >
> > The diff adds RADIUS support for iked(8).
> >
> >   ---
> >   ikev2 RAS passive esp \
> >     from 0.0.0.0/0 to 0.0.0.0  \
> >     local any peer any \
> >     srcid (FQDN) \
> >     eap radius \
> >     config address 192.168.0.0/24
> >     
> >   radius server 192.168.0.4 secret testing123
> >   # radius accounting server 192.168.0.4 secret testing123
> >   ---
> >
> > We can ask EAP for a RADIUS server which supports EAP.  Unfortunetely
> > radiusd(8) has no config which terminates EAP yet, so freeradius,
> > Windows AD, or other is needed for test.
> >
> > Also
> >
> >  - Use RADIUS attriubutes for configurations
> >  - RADIUS accouting is also supported
> >
> > comments? test? ok?
> 
> Hi,
> 
> Does this mean an inner EAP tunnel will go to the radius server, thus supporting authentication types like
> EAP-TLS / EAP-TTLS/PAP / EAP-PEAP/MSCHAPv2 depending on client and radius (IDP) server configuration?

That's how the diff reads to me.

I haven't tested yet but considering this also handles Framed-IP-Address
(so you can hand out a specific IP address based on username) it adds
a lot of very useful functionality. I'll try to get something setup here
to test it ..