Project

General

Profile

Todo #5219

EAP-RADIUS selection for IKEv2 Mobile IPsec should warn if the selected authentication backend is not a RADIUS server.

Added by Jim Pingle almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
09/30/2015
Due date:
% Done:

100%

Estimated time:

Description

When selecting EAP-RADIUS for a IKEv2 mobile IPsec Phase 1 authentication, the chosen backend server on the Mobile Clients tab must be a RADIUS server. Currently if another type is selected it results in a broken configuration without a warning.

Associated revisions

Revision 0e8674d0 (diff)
Added by Matthew Smith almost 4 years ago

Validate that the Mobile Client settings have a valid RADIUS server selected
as the source for user authentication when EAP-RADIUS is selected as the phase
1 authentication method for mobile IPsec. Fixes #5219.

Revision fce93905 (diff)
Added by Matthew Smith almost 4 years ago

Validate that the Mobile Client settings have a valid RADIUS server selected
as the source for user authentication when EAP-RADIUS is selected as the
phase 1 authentication method for mobile IPsec. Fixes #5219.

Revision 6684d594 (diff)
Added by Matthew Smith almost 4 years ago

Don't allow IPsec mobile clients user auth source to not be a RADIUS server if
the phase1 auth method is EAP-RADIUS. Properly handle selection of multiple
RADIUS servers when using EAP-RADIUS. Fixes #5219.

History

#1 Updated by Chris Buechler almost 4 years ago

  • Project changed from Bootstrap to pfSense
  • Category set to IPsec

moving since it's not bootstrap-specific

#2 Updated by Jim Thompson almost 4 years ago

  • Assignee set to Matthew Smith

#3 Updated by Matthew Smith almost 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#5 Updated by Jim Pingle almost 4 years ago

  • Status changed from Feedback to New
  • % Done changed from 100 to 50

The warning is given when the user saves on the Mobile IPsec Phase 1, but it is still possible to break by selecting a Non-RADIUS auth server on the Mobile Clients tab.

#6 Updated by Matthew Smith almost 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 50 to 100

#7 Updated by Jim Pingle almost 4 years ago

  • Status changed from Feedback to Resolved

Seems to be solid now, I can't coerce it into a broken configuration either way.

Also available in: Atom PDF