[Swan] additional authentication, like LDAP, Kerberos, RADIUS on tunnels

Michael Schwartzkopff ms at sys4.de
Thu Sep 15 22:15:40 EEST 2022

On 15.09.22 19:44, Brendan Kearney wrote:
> list members,
> IKEv1 could employ L2TP and PPP to authenticate a user on one end of a 
> tunnel against RADIUS, for additional security.  i am not seeing any 
> info about IKEv2 being able to do so, and i may have come across write 
> ups saying not to use L2TP at all with IKEv2.
> is there a way to tie other authentication and authorization (AuthN/Z) 
> mechanisms and policies to a IKEv2 tunnel for road warriors?  i see 
> PSK and certificates as "host" based AuthN, and not specifically 
> identifying a user.   i would want a tunnel to require (PSK || 
> Certificate) + (User/Pass && Group Membership) in order to 
> successfully connect.  is there any way of accomplishing this with IKEv2?
> thank you,
> brendan
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

IKEv2 can utilize the EAP mech to extend auth possibilities. Any 
reasonable RADIUS server will understand EAP packets. I have very good 
experience with FreeRADIUS.

user / pass -> EAP_TTLS with EAP_GTC (or MD5) in the TLS tunnel

user / cert -> EAP_TLS.

The backend RADIUS server can handle both. You also could have a LDAP 
server as a backend for the RADIUS.

Mit freundlichen Grüßen,


[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the Swan mailing list