Feature #5825
open
Allow EAP-RADIUS for authentication servers
0%
Description
When configuring a RADIUS authentication server, one must currently allow unencrypted PAP/SPAP connections. We should be able to configure it to use EAP encryption.
Updated by Adam Thompson over 8 years ago
Supposedly this exists, per https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS, but I'm not 100% convinced that it's functional.
Updated by Joe McNolan over 8 years ago
Adam Thompson wrote:
Supposedly this exists, per https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS, but I'm not 100% convinced that it's functional.
It's functional for IPSec, as IPSec's IKE phase 1 config page lets you explicitly specify the authentication method to EAP-MSChapv2 or EAP-TLS or whatever.
However, pfSense's own RADIUS configuration page doesn't provide any options for authentication method. Testing with the "Diagnostics / Authentication" page, it seems to only support PAP/SPAP currently. I think OpenVPN uses the same pfSense RADIUS auth, so it suffers the same limitation.
Updated by Joe McNolan over 7 years ago
Related: https://redmine.pfsense.org/issues/7111
Although it's not EAP, MSCHAPv2 is better than PAP
Updated by Jim Pingle over 5 years ago
- Category changed from User Manager / Privileges to Authentication