From: YASUOKA Masahiko Subject: Re: iked: RADIUS support To: stu@spacehopper.org Cc: bilias@edu.physics.uoc.gr, tech@openbsd.org Date: Sun, 28 Jan 2024 20:31:42 +0900 On Fri, 26 Jan 2024 13:09:37 +0000 Stuart Henderson wrote: > On 2024/01/26 13:40, Kapetanakis Giannis wrote: >> On 25/01/2024 11:50, YASUOKA Masahiko wrote: >> > Hello, >> > >> > The diff adds RADIUS support for iked(8). >> > >> > --- >> > ikev2 RAS passive esp \ >> > from 0.0.0.0/0 to 0.0.0.0 \ >> > local any peer any \ >> > srcid (FQDN) \ >> > eap radius \ >> > config address 192.168.0.0/24 >> > >> > radius server 192.168.0.4 secret testing123 >> > # radius accounting server 192.168.0.4 secret testing123 >> > --- >> > >> > We can ask EAP for a RADIUS server which supports EAP. Unfortunetely >> > radiusd(8) has no config which terminates EAP yet, so freeradius, >> > Windows AD, or other is needed for test. >> > >> > Also >> > >> > - Use RADIUS attriubutes for configurations >> > - RADIUS accouting is also supported >> > >> > comments? test? ok? >> >> Hi, >> >> Does this mean an inner EAP tunnel will go to the radius server, thus supporting authentication types like >> EAP-TLS / EAP-TTLS/PAP / EAP-PEAP/MSCHAPv2 depending on client and radius (IDP) server configuration? > > That's how the diff reads to me. Yes, I hope all EAP methods can be used. But other than MSCHAP-V2, it might have an issue. I'm testing EAP-TLS with Windows AD, it doesn't success. I think it can be fixed in few days. > I haven't tested yet but considering this also handles Framed-IP-Address > (so you can hand out a specific IP address based on username) it adds > a lot of very useful functionality. I'll try to get something setup here > to test it .. Thanks