Project

General

Profile

Actions

Feature #5825

open

Allow EAP-RADIUS for authentication servers

Added by Orion Poplawski over 5 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
01/27/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

When configuring a RADIUS authentication server, one must currently allow unencrypted PAP/SPAP connections. We should be able to configure it to use EAP encryption.

Actions #1

Updated by Adam Thompson over 5 years ago

Supposedly this exists, per https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS, but I'm not 100% convinced that it's functional.

Actions #2

Updated by Joe McNolan about 5 years ago

Adam Thompson wrote:

Supposedly this exists, per https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS, but I'm not 100% convinced that it's functional.

It's functional for IPSec, as IPSec's IKE phase 1 config page lets you explicitly specify the authentication method to EAP-MSChapv2 or EAP-TLS or whatever.

However, pfSense's own RADIUS configuration page doesn't provide any options for authentication method. Testing with the "Diagnostics / Authentication" page, it seems to only support PAP/SPAP currently. I think OpenVPN uses the same pfSense RADIUS auth, so it suffers the same limitation.

Actions #3

Updated by Joe McNolan over 4 years ago

Related: https://redmine.pfsense.org/issues/7111

Although it's not EAP, MSCHAPv2 is better than PAP

Actions #4

Updated by Jim Pingle about 2 years ago

  • Category changed from User Manager / Privileges to Authentication
Actions

Also available in: Atom PDF