[strongSwan] strongswan with radius
Tobias Brunner
tobias at strongswan.org
Thu Aug 16 11:18:55 CEST 2012
Hi Steve,
> Specily with the iPhone he is "looking for XAuthInitPSK config" but then
> he shows "no peer config found" in the syslog entries.
The configuration you added with
> leftauth=pubkey
> rightauth=eap-xauth
is not correct. What you want to do (if you want to use XAuth/PSK) is this:
leftauth=psk
rightauth=psk
rightauth2=xauth-eap
Some clients (e.g. Mac OS X Mountain Lion) can also use hybrid
authentication where the client is only authenticated with XAuth and the
gateway uses pubkey authentication:
leftauth=pubkey
rightauth=xauth-eap
The iPhone can do that too, but it does not verify the identity of the
gateway against the certificate which makes it vulnerable to
man-in-the-middle attacks.
An alternative is to generate a single key/cert pair and use that for
all clients. Then use XAuth/RSA in which case the RSA authentication is
only used to verify the gateway's identity (since all clients use the
same key/cert pair) while the clients then use XAuth to actually
identify themselves:
leftauth=pubkey
rightauth=pubkey
rightauth2=xauth-eap
Regards,
Tobias
More information about the Users
mailing list