On Fri, 26 Jan 2024 13:09:37 +0000
Stuart Henderson <stu@spacehopper.org> wrote:
> On 2024/01/26 13:40, Kapetanakis Giannis wrote:
>> On 25/01/2024 11:50, YASUOKA Masahiko wrote:
>> > Hello,
>> >
>> > The diff adds RADIUS support for iked(8).
>> >
>> >   ---
>> >   ikev2 RAS passive esp \
>> >     from 0.0.0.0/0 to 0.0.0.0  \
>> >     local any peer any \
>> >     srcid (FQDN) \
>> >     eap radius \
>> >     config address 192.168.0.0/24
>> >     
>> >   radius server 192.168.0.4 secret testing123
>> >   # radius accounting server 192.168.0.4 secret testing123
>> >   ---
>> >
>> > We can ask EAP for a RADIUS server which supports EAP.  Unfortunetely
>> > radiusd(8) has no config which terminates EAP yet, so freeradius,
>> > Windows AD, or other is needed for test.
>> >
>> > Also
>> >
>> >  - Use RADIUS attriubutes for configurations
>> >  - RADIUS accouting is also supported
>> >
>> > comments? test? ok?
>> 
>> Hi,
>> 
>> Does this mean an inner EAP tunnel will go to the radius server, thus supporting authentication types like
>> EAP-TLS / EAP-TTLS/PAP / EAP-PEAP/MSCHAPv2 depending on client and radius (IDP) server configuration?
> 
> That's how the diff reads to me.

Yes, I hope all EAP methods can be used.

But other than MSCHAP-V2, it might have an issue.  I'm testing EAP-TLS
with Windows AD, it doesn't success.  I think it can be fixed in few
days.

> I haven't tested yet but considering this also handles Framed-IP-Address
> (so you can hand out a specific IP address based on username) it adds
> a lot of very useful functionality. I'll try to get something setup here
> to test it ..

Thanks