[Swan] additional authentication, like LDAP, Kerberos, RADIUS on tunnels
Michael Schwartzkopff
ms at sys4.de
Thu Sep 15 22:15:40 EEST 2022
On 15.09.22 19:44, Brendan Kearney wrote:
> list members,
>
> IKEv1 could employ L2TP and PPP to authenticate a user on one end of a
> tunnel against RADIUS, for additional security. i am not seeing any
> info about IKEv2 being able to do so, and i may have come across write
> ups saying not to use L2TP at all with IKEv2.
>
> is there a way to tie other authentication and authorization (AuthN/Z)
> mechanisms and policies to a IKEv2 tunnel for road warriors? i see
> PSK and certificates as "host" based AuthN, and not specifically
> identifying a user. i would want a tunnel to require (PSK ||
> Certificate) + (User/Pass && Group Membership) in order to
> successfully connect. is there any way of accomplishing this with IKEv2?
>
> thank you,
>
> brendan
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
IKEv2 can utilize the EAP mech to extend auth possibilities. Any
reasonable RADIUS server will understand EAP packets. I have very good
experience with FreeRADIUS.
user / pass -> EAP_TTLS with EAP_GTC (or MD5) in the TLS tunnel
user / cert -> EAP_TLS.
The backend RADIUS server can handle both. You also could have a LDAP
server as a backend for the RADIUS.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the Swan
mailing list