[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Strongswan EAP-TTLS + user/password(chap)
From: iman Khosravi <im.khosravi () gmail ! com>
Date: 2015-06-24 7:24:27
Message-ID: CAA3bSFC2aecxyhhi7gSrmRoWDeODQvjHfad8Fa6No-uOVX_q0A () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Martin your information was very useful.
Actually I'm trying to use FreeRadius with Strongswan using EAP-Radius
plugin.
Do you have any information regarding FreeRadius support of this thing?
On Wed, Jun 24, 2015 at 11:48 AM Martin Willi <martin@strongswan.org> wrote:
> Hi,
>
> > Is there any way that i could use user/password inside eap-ttls tunnel?
> > windows clients are able to initiate IKE tunnel with eap-ttls and
> > user+password as their authentication protocol and I'm trying to use
> > Strongswan as my server side.
>
> strongSwan EAP-TTLS currently does not support tunneling plain PAP/CHAP,
> but only other EAP methods.
>
> > If not, what do you recommend in such a solution that an authentication
> > system with user+password is required.(CHAP alone is not secure
> > enough).
>
> Using plain EAP-MSCHAPv2 is usually fine in IKEv2 if you terminate EAP
> at the IKE responder. The EAP exchange is protected by IKEv2 using the
> responders server certificate.
>
> If that is insufficient for you, you may EAP-TTLS- or PEAP-tunnel
> EAP-MSCHAPv2. That is supported by the Windows client. But from a
> security perspective it does not help much if you terminate EAP at the
> IKE responder, just complicates things.
>
> If you terminate EAP at an AAA backend using our eap-radius plugin, you
> might want additional security on the gateway->AAA link. Using EAP-TTLS
> (with any inner authentication method) may be an option. strongSwan does
> not terminate EAP then, and you can use any method that the client and
> the AAA supports.
>
> Regards
> Martin
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Thanks Martin your information was very useful.<div>Actually I'm \
trying to use FreeRadius with Strongswan using EAP-Radius plugin.</div><div>Do you \
have any information regarding FreeRadius support of this \
thing?<br><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On \
Wed, Jun 24, 2015 at 11:48 AM Martin Willi <<a \
href="mailto:martin@strongswan.org">martin@strongswan.org</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br> <br>
> Is there any way that i could use user/password inside eap-ttls tunnel?<br>
> windows clients are able to initiate IKE tunnel with eap-ttls and<br>
> user+password as their authentication protocol and I'm trying to use<br>
> Strongswan as my server side.<br>
<br>
strongSwan EAP-TTLS currently does not support tunneling plain PAP/CHAP,<br>
but only other EAP methods.<br>
<br>
> If not, what do you recommend in such a solution that an authentication<br>
> system with user+password is required.(CHAP alone is not secure<br>
> enough).<br>
<br>
Using plain EAP-MSCHAPv2 is usually fine in IKEv2 if you terminate EAP<br>
at the IKE responder. The EAP exchange is protected by IKEv2 using the<br>
responders server certificate.<br>
<br>
If that is insufficient for you, you may EAP-TTLS- or PEAP-tunnel<br>
EAP-MSCHAPv2. That is supported by the Windows client. But from a<br>
security perspective it does not help much if you terminate EAP at the<br>
IKE responder, just complicates things.<br>
<br>
If you terminate EAP at an AAA backend using our eap-radius plugin, you<br>
might want additional security on the gateway->AAA link. Using EAP-TTLS<br>
(with any inner authentication method) may be an option. strongSwan does<br>
not terminate EAP then, and you can use any method that the client and<br>
the AAA supports.<br>
<br>
Regards<br>
Martin<br>
<br>
</blockquote></div>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic