On 29/01/2024 22:24, Stuart Henderson wrote:
> On 2024/01/29 09:43, YASUOKA Masahiko wrote:
>> Let me update the diff.  Now I think it works with EAP methods other
>> than MSCHAP-V2.
>>
>> - feedbacks from markus
>>   - support MSK which legnth != 16
>>   - give "iked_" for the functions in radiusd
>> - pass EAP messages which type isn't support eap.c
> I can only test user/password auth via RADIUS at the moment, I don't
> have anything setup for EAP_TLS etc.
>
> Connecting from Android StrongSWAN configured for user/password
> authentication, using FreeRADIUS (with the standard "users" file backend
> to authenticate) is working OK for me.
>
> (At first I had problems, but then I noticed I had "default_eap_type =
> md5" in mods-enabled/inner-eap from something which I was testing a long
> time ago and had forgotten about - that failed because it doesn't return
> the MS-MPPE-Send-Key and ...-Recv-Key attributes - I don't think other
> people are very likely to run into this :-)

I was also able to successfully connect and authenticate with EAP-TTLS/PAP and EAP-PEAP/MSCHAP-V2.
I used my production radius server for eduroam (WPA-Enterprise) without any change there apart from adding a new radius client (the vpn server).

Was also able to pass Framed-IP-Address from radius (ldap) back to VPN server and assign it to client.

One note that maybe should be added in the man page of iked.conf(5) is that server certificate is still required to be installed on the vpn server in order for this to work. That wasn't clear to me and client was giving me errors about cert.

I've created and installed ca with ikectl, created and installed server cert with ikectl.

On the client I've installed my self-signed ca.crt on Trusted Root Certificates.
Apart from VPN server's certificate, client needs to verify radius' certificate for EAP.

G