From: Kapetanakis Giannis <bilias@edu.physics.uoc.gr>
Subject: Re: iked: RADIUS support
To: tech@openbsd.org
Cc: YASUOKA Masahiko <yasuoka@openbsd.org>
Date: Fri, 26 Jan 2024 13:40:51 +0200

On 25/01/2024 11:50, YASUOKA Masahiko wrote:
> Hello,
>
> The diff adds RADIUS support for iked(8).
>
>   ---
>   ikev2 RAS passive esp \
>     from 0.0.0.0/0 to 0.0.0.0  \
>     local any peer any \
>     srcid (FQDN) \
>     eap radius \
>     config address 192.168.0.0/24
>     
>   radius server 192.168.0.4 secret testing123
>   # radius accounting server 192.168.0.4 secret testing123
>   ---
>
> We can ask EAP for a RADIUS server which supports EAP.  Unfortunetely
> radiusd(8) has no config which terminates EAP yet, so freeradius,
> Windows AD, or other is needed for test.
>
> Also
>
>  - Use RADIUS attriubutes for configurations
>  - RADIUS accouting is also supported
>
> comments? test? ok?

Hi,

Does this mean an inner EAP tunnel will go to the radius server, thus supporting authentication types like
EAP-TLS / EAP-TTLS/PAP / EAP-PEAP/MSCHAPv2 depending on client and radius (IDP) server configuration?

G