0

I am setting up an IPSec+L2TP VPN for a couple of Windows boxes connecting to a Debian 7.6 (Wheezy) machine running ipsec tools and xl2tpd/pppd. Client authentication via mschapv2 works well enough; but, I would like to use a 802.1x certificate setup off of a local freeradius installation. What I had in mind was some kind of EAP-TLS pass-through from pppd to the Radius server, analogous to the existing WAP supplicant-server setup. However, pppd in all its patched glory insists on handling EAP-TLS authentication all by itself, basically duplicating efforts.

Has anyone had any success with the same or a similar approach?

Any pointers and/or sanity checks greatly appreciated!

Mike

canut
  • 1
  • 3
  • They terminate it locally? That's annoying. I've only seen it done with MSCHAPv2 though can definitely see the utility in having EAP. – Arran Cudbard-Bell Nov 10 '14 at 17:28
  • Yep. To be fair, EAP-MSCHAPv2 works out of the box with pppd, but I'd like to keep the AA+A(ccounting) aspect of the existing freeradius setup. Right now that basically means radwho with cert CN and client (WAP vs VPN) identifier. Given that IKEv2 support still looks a bit shaky on a Linux/Windows combo, I'm surprised that I appear to be the only one with this particular problem. Usually, that's a strong indicator that there might be a better way to do this :) – canut Nov 11 '14 at 19:56
  • To wrap this up, I settled for cert auth with IKE and MSCHAPv2 via radius extensions for pppd. Works well enough ;) – canut Nov 30 '14 at 19:39

0 Answers0