Project

General

Profile

Feature #5825

Allow EAP-RADIUS for authentication servers

Added by Orion Poplawski over 4 years ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
01/27/2016
Due date:
% Done:

0%

Estimated time:

Description

When configuring a RADIUS authentication server, one must currently allow unencrypted PAP/SPAP connections. We should be able to configure it to use EAP encryption.

History

#1 Updated by Adam Thompson about 4 years ago

Supposedly this exists, per https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS, but I'm not 100% convinced that it's functional.

#2 Updated by Joe McNolan almost 4 years ago

Adam Thompson wrote:

Supposedly this exists, per https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS, but I'm not 100% convinced that it's functional.

It's functional for IPSec, as IPSec's IKE phase 1 config page lets you explicitly specify the authentication method to EAP-MSChapv2 or EAP-TLS or whatever.

However, pfSense's own RADIUS configuration page doesn't provide any options for authentication method. Testing with the "Diagnostics / Authentication" page, it seems to only support PAP/SPAP currently. I think OpenVPN uses the same pfSense RADIUS auth, so it suffers the same limitation.

#3 Updated by Joe McNolan about 3 years ago

Related: https://redmine.pfsense.org/issues/7111

Although it's not EAP, MSCHAPv2 is better than PAP

#4 Updated by Jim Pingle 11 months ago

  • Category changed from User Manager / Privileges to Authentication

Also available in: Atom PDF