[strongSwan] xauth - ikev1 - ikev2 - radius - eDir
Martin Willi
martin at strongswan.org
Tue Oct 1 13:40:23 CEST 2013
Hi Björn,
> So I got to the point where we need a FreeRadius to be connected to the
> eDir.
> But now i am not sure what way to take. I very much like the ikev2 but
> as described here [...] We need a IKEv1 Xauth to use it.
Do you want to connect IKEv1 or IKEv2 clients to your LAN? The whole
xauth-eap thing is just required for IKEv1 clients; IKEv2 can directly
use the eap-radius plugin for EAP-MSCHAPv2 authentication.
> As Sles11Sp3 comes with strongswan-4.4.0-6.17.5 and i would not really
> like to leave the patchmanagement SuSE
4.4.0 is quite old. It supports eap-radius, but the syntax was more
limited and a little different. The wiki page [1] does not apply to this
old release: specify the RADIUS options directly in the eap-radius
section; 4.4.0 did not have support for multiple servers.
> What would be the right way to let users authenticate at out VPN Gateway
> using the credentials Freeradius get out of our eDir ? Xauth ? ikev1/2 ?
If you have clients speaking IKEv2 (Windows 7), you should definitely go
with IKEv2. [2] has some information about basic configuration. Replace
eap-mschapv2 with eap-radius to delegate authentication. The eap-radius
plugin allows you to verify username/password over RADIUS, for example
against a FreeRADIUS AAA.
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius/7
[2]http://wiki.strongswan.org/projects/strongswan/wiki/Windows7#B-Authentication-using-EAP-MSCHAP-v2
More information about the Users
mailing list