[strongSwan] EAP-MSCHAPV2/PEAP client connection from Network Manager
Tobias Brunner
tobias at strongswan.org
Thu Apr 18 10:23:24 CEST 2019
Hi Chris,
> So I guess the question is, what's the security risk here? I always knew
> that with PEAP, there is PKI as an outer method. What am I missing
> without that outer method encryption. Guess I need to read some more....
One aspect is whether the EAP-MSCHAPv2 authentication is terminated on
the VPN gateway directly (e.g. via eap-mschapv2 plugin) or on a separate
RADIUS server. In the latter scenario EAP-PEAP/TTLS authenticates the
AAA server to the client and the connection between VPN gateway and
RADIUS server is also encrypted.
> # strongswan.conf - strongSwan configuration file
> #
> # Refer to the strongswan.conf(5) manpage for details
> #
> # Configuration changes should be made in the included files
>
> charon {
> charon-nm.plugins.eap-peap.load = no
That's not actually the correct syntax. See [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
More information about the Users
mailing list