[Swan] additional authentication, like LDAP, Kerberos, RADIUS on tunnels
Paul Wouters
paul at nohats.ca
Thu Sep 15 22:28:09 EEST 2022
For IKEv2 that would go via EAP.
Currently, only EAPTLS is implemented. You are looking at EAP-mschapv2. We don’t support that yet. I know strongswan does support it.
Paul
ps. Patches or other support always welcomed 😀
Sent using a virtual keyboard on a phone
> On Sep 15, 2022, at 13:44, Brendan Kearney <bpk678 at gmail.com> wrote:
>
> list members,
>
> IKEv1 could employ L2TP and PPP to authenticate a user on one end of a tunnel against RADIUS, for additional security. i am not seeing any info about IKEv2 being able to do so, and i may have come across write ups saying not to use L2TP at all with IKEv2.
>
> is there a way to tie other authentication and authorization (AuthN/Z) mechanisms and policies to a IKEv2 tunnel for road warriors? i see PSK and certificates as "host" based AuthN, and not specifically identifying a user. i would want a tunnel to require (PSK || Certificate) + (User/Pass && Group Membership) in order to successfully connect. is there any way of accomplishing this with IKEv2?
>
> thank you,
>
> brendan
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list