On 28/01/2024 13:31, YASUOKA Masahiko wrote:
> On Fri, 26 Jan 2024 13:09:37 +0000
> Stuart Henderson <stu@spacehopper.org> wrote:
>> On 2024/01/26 13:40, Kapetanakis Giannis wrote:
>>> On 25/01/2024 11:50, YASUOKA Masahiko wrote:
>>>> Hello,
>>>>
>>>> The diff adds RADIUS support for iked(8).
>>>>
>>>>   ---
>>>>   ikev2 RAS passive esp \
>>>>     from 0.0.0.0/0 to 0.0.0.0  \
>>>>     local any peer any \
>>>>     srcid (FQDN) \
>>>>     eap radius \
>>>>     config address 192.168.0.0/24
>>>>     
>>>>   radius server 192.168.0.4 secret testing123
>>>>   # radius accounting server 192.168.0.4 secret testing123
>>>>   ---
>>>>
>>>> We can ask EAP for a RADIUS server which supports EAP.  Unfortunetely
>>>> radiusd(8) has no config which terminates EAP yet, so freeradius,
>>>> Windows AD, or other is needed for test.
>>>>
>>>> Also
>>>>
>>>>  - Use RADIUS attriubutes for configurations
>>>>  - RADIUS accouting is also supported
>>>>
>>>> comments? test? ok?
>>> Hi,
>>>
>>> Does this mean an inner EAP tunnel will go to the radius server, thus supporting authentication types like
>>> EAP-TLS / EAP-TTLS/PAP / EAP-PEAP/MSCHAPv2 depending on client and radius (IDP) server configuration?
>> That's how the diff reads to me.
> Yes, I hope all EAP methods can be used.
>
> But other than MSCHAP-V2, it might have an issue.  I'm testing EAP-TLS
> with Windows AD, it doesn't success.  I think it can be fixed in few
> days.


That is very nice and a long awaited feature!

I'm also going to give it a try since I have a radius server ready, supporting multiple EAP types for eduroam.

Since I can't find the following info easily on google, what kind of EAP does windows 10 client do when you setup an ikev2 VPN?
There is no interface to change/show security settings (PEAP/TTLS - MSCHAPv2/PAP) like it does for wifi and WPA2-Enterprise.

G