From: Kapetanakis Giannis Subject: Re: iked: RADIUS support To: YASUOKA Masahiko , stu@spacehopper.org Cc: tech@openbsd.org Date: Mon, 29 Jan 2024 14:18:05 +0200 On 28/01/2024 13:31, YASUOKA Masahiko wrote: > On Fri, 26 Jan 2024 13:09:37 +0000 > Stuart Henderson wrote: >> On 2024/01/26 13:40, Kapetanakis Giannis wrote: >>> On 25/01/2024 11:50, YASUOKA Masahiko wrote: >>>> Hello, >>>> >>>> The diff adds RADIUS support for iked(8). >>>> >>>> --- >>>> ikev2 RAS passive esp \ >>>> from 0.0.0.0/0 to 0.0.0.0 \ >>>> local any peer any \ >>>> srcid (FQDN) \ >>>> eap radius \ >>>> config address 192.168.0.0/24 >>>> >>>> radius server 192.168.0.4 secret testing123 >>>> # radius accounting server 192.168.0.4 secret testing123 >>>> --- >>>> >>>> We can ask EAP for a RADIUS server which supports EAP. Unfortunetely >>>> radiusd(8) has no config which terminates EAP yet, so freeradius, >>>> Windows AD, or other is needed for test. >>>> >>>> Also >>>> >>>> - Use RADIUS attriubutes for configurations >>>> - RADIUS accouting is also supported >>>> >>>> comments? test? ok? >>> Hi, >>> >>> Does this mean an inner EAP tunnel will go to the radius server, thus supporting authentication types like >>> EAP-TLS / EAP-TTLS/PAP / EAP-PEAP/MSCHAPv2 depending on client and radius (IDP) server configuration? >> That's how the diff reads to me. > Yes, I hope all EAP methods can be used. > > But other than MSCHAP-V2, it might have an issue. I'm testing EAP-TLS > with Windows AD, it doesn't success. I think it can be fixed in few > days. That is very nice and a long awaited feature! I'm also going to give it a try since I have a radius server ready, supporting multiple EAP types for eduroam. Since I can't find the following info easily on google, what kind of EAP does windows 10 client do when you setup an ikev2 VPN? There is no interface to change/show security settings (PEAP/TTLS - MSCHAPv2/PAP) like it does for wifi and WPA2-Enterprise. G