[strongSwan] Strongswan EAP-TTLS + user/password(chap)

Martin Willi martin at strongswan.org
Wed Jun 24 09:17:59 CEST 2015


> Is there any way that i could use user/password inside eap-ttls tunnel?
> windows clients are able to initiate IKE tunnel with eap-ttls and
> user+password as their authentication protocol  and I'm trying to use
> Strongswan as my server side.

strongSwan EAP-TTLS currently does not support tunneling plain PAP/CHAP,
but only other EAP methods. 

> If not, what do you recommend in such a solution that an authentication
> system with user+password is required.(CHAP alone is not secure
> enough).

Using plain EAP-MSCHAPv2 is usually fine in IKEv2 if you terminate EAP
at the IKE responder. The EAP exchange is protected by IKEv2 using the
responders server certificate.

If that is insufficient for you, you may EAP-TTLS- or PEAP-tunnel
EAP-MSCHAPv2. That is supported by the Windows client. But from a
security perspective it does not help much if you terminate EAP at the
IKE responder, just complicates things.

If you terminate EAP at an AAA backend using our eap-radius plugin, you
might want additional security on the gateway->AAA link. Using EAP-TTLS
(with any inner authentication method) may be an option. strongSwan does
not terminate EAP then, and you can use any method that the client and
the AAA supports.


More information about the Users mailing list