[strongSwan] Strongswan EAP-TTLS + user/password(chap)

iman Khosravi im.khosravi at gmail.com
Wed Jun 24 09:24:27 CEST 2015

Thanks Martin your information was very useful.
Actually I'm trying to use FreeRadius with Strongswan using EAP-Radius
Do you have any information regarding FreeRadius support of this thing?

On Wed, Jun 24, 2015 at 11:48 AM Martin Willi <martin at strongswan.org> wrote:

> Hi,
> > Is there any way that i could use user/password inside eap-ttls tunnel?
> > windows clients are able to initiate IKE tunnel with eap-ttls and
> > user+password as their authentication protocol  and I'm trying to use
> > Strongswan as my server side.
> strongSwan EAP-TTLS currently does not support tunneling plain PAP/CHAP,
> but only other EAP methods.
> > If not, what do you recommend in such a solution that an authentication
> > system with user+password is required.(CHAP alone is not secure
> > enough).
> Using plain EAP-MSCHAPv2 is usually fine in IKEv2 if you terminate EAP
> at the IKE responder. The EAP exchange is protected by IKEv2 using the
> responders server certificate.
> If that is insufficient for you, you may EAP-TTLS- or PEAP-tunnel
> EAP-MSCHAPv2. That is supported by the Windows client. But from a
> security perspective it does not help much if you terminate EAP at the
> IKE responder, just complicates things.
> If you terminate EAP at an AAA backend using our eap-radius plugin, you
> might want additional security on the gateway->AAA link. Using EAP-TTLS
> (with any inner authentication method) may be an option. strongSwan does
> not terminate EAP then, and you can use any method that the client and
> the AAA supports.
> Regards
> Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150624/9e4bbeb4/attachment-0001.html>

More information about the Users mailing list