Comments on: RSA keypair, Radius and StokeOS for IKEv2-EAP Authentication http://www.imacandi.net/windancer/2010/01/28/rsa-keypair-radius-and-stokeos-for-ikev2-eap-authentication.html "You know my methods, Watson..." Thu, 09 Feb 2012 13:55:28 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Jimmy's Blog http://www.imacandi.net/windancer/2010/01/28/rsa-keypair-radius-and-stokeos-for-ikev2-eap-authentication.html/comment-page-1#comment-10121 Jimmy's Blog Thu, 31 Mar 2011 21:08:57 +0000 http://www.imacandi.net/windancer/?p=1577#comment-10121 <strong>Linky, linky, blogs we likey...</strong> [...]while the sites we link to below are completely unrelated to ours, we think they are worth a read, so have a look[...]... Linky, linky, blogs we likey…

[...]while the sites we link to below are completely unrelated to ours, we think they are worth a read, so have a look[...]…

]]> By: Unlock iPhone4 http://www.imacandi.net/windancer/2010/01/28/rsa-keypair-radius-and-stokeos-for-ikev2-eap-authentication.html/comment-page-1#comment-9949 Unlock iPhone4 Thu, 17 Mar 2011 12:21:50 +0000 http://www.imacandi.net/windancer/?p=1577#comment-9949 Hi! I know this is kinda off topic but I'd figured I'd ask. Would you be interested in exchanging links or maybe guest authoring a blog post or vice-versa? My blog goes over a lot of the same subjects as yours and I believe we could greatly benefit from each other. If you happen to be interested feel free to shoot me an email. I look forward to hearing from you! Awesome blog by the way! Hi! I know this is kinda off topic but I’d figured I’d ask. Would you be interested in exchanging links or maybe guest authoring a blog post or vice-versa? My blog goes over a lot of the same subjects as yours and I believe we could greatly benefit from each other. If you happen to be interested feel free to shoot me an email. I look forward to hearing from you! Awesome blog by the way!

]]> By: cristina_crow http://www.imacandi.net/windancer/2010/01/28/rsa-keypair-radius-and-stokeos-for-ikev2-eap-authentication.html/comment-page-1#comment-4898 cristina_crow Fri, 09 Jul 2010 15:24:40 +0000 http://www.imacandi.net/windancer/?p=1577#comment-4898 New StokeOS (4.6B1), new commands to bind the certs: certificate device-certificate new name SSX ca-certificate CA.cer format pem signed-certificate ssx-185.pem format pem private-key ssx-185.key New StokeOS (4.6B1), new commands to bind the certs:
certificate device-certificate new name SSX ca-certificate CA.cer format pem signed-certificate ssx-185.pem format pem private-key ssx-185.key

]]> By: Andreas Steffen http://www.imacandi.net/windancer/2010/01/28/rsa-keypair-radius-and-stokeos-for-ikev2-eap-authentication.html/comment-page-1#comment-3693 Andreas Steffen Sat, 06 Feb 2010 13:52:16 +0000 http://www.imacandi.net/windancer/?p=1577#comment-3693 We are going to support IKEv2 EAP-TLS soon. Since EAP-TLS offers strong mutual authentication based on certificates there is not much sense in doing a certificate-based IKEv2 SGW authentication on top of that, so this will be a typical application for EAP_ONLY authentication. Andreas We are going to support IKEv2 EAP-TLS soon. Since EAP-TLS offers strong mutual authentication based on certificates there is not much sense in doing a certificate-based IKEv2 SGW authentication on top of that, so this will be a typical application for EAP_ONLY authentication.

Andreas

]]> By: cristina_crow http://www.imacandi.net/windancer/2010/01/28/rsa-keypair-radius-and-stokeos-for-ikev2-eap-authentication.html/comment-page-1#comment-3691 cristina_crow Sat, 06 Feb 2010 13:20:57 +0000 http://www.imacandi.net/windancer/?p=1577#comment-3691 @Andreas: cool. Good to know I can always count on Strongswan to be up to date with everything :) Thank you. @Andreas: cool. Good to know I can always count on Strongswan to be up to date with everything :) Thank you.

]]> By: Andreas Steffen http://www.imacandi.net/windancer/2010/01/28/rsa-keypair-radius-and-stokeos-for-ikev2-eap-authentication.html/comment-page-1#comment-3689 Andreas Steffen Sat, 06 Feb 2010 12:24:53 +0000 http://www.imacandi.net/windancer/?p=1577#comment-3689 strongSwan both supports draft-eronen-ipsec-ikev2-eap-auth: http://www.strongswan.org/uml/testresults43rc/ikev2/rw-eap-sim-only-radius/ and RFC3739 Multiple Authentication: http://www.strongswan.org/uml/testresults43rc/ikev2/mult-auth-rsa-eap-sim-id/ Since the EAP_ONLY notification hasn't been assigned yet by IANA, strongSwan uses a private value and sends a strongSwan Vendor ID. This will change as soon as draft-eronen-ipsec-ikev2-eap-auth has become an RFC. Andreas strongSwan both supports draft-eronen-ipsec-ikev2-eap-auth:

http://www.strongswan.org/uml/testresults43rc/ikev2/rw-eap-sim-only-radius/

and RFC3739 Multiple Authentication:

http://www.strongswan.org/uml/testresults43rc/ikev2/mult-auth-rsa-eap-sim-id/

Since the EAP_ONLY notification hasn’t been assigned yet by IANA, strongSwan uses a private value and sends a strongSwan Vendor ID. This will change as soon as draft-eronen-ipsec-ikev2-eap-auth has become an RFC.

Andreas

]]> By: cristina_crow http://www.imacandi.net/windancer/2010/01/28/rsa-keypair-radius-and-stokeos-for-ikev2-eap-authentication.html/comment-page-1#comment-3566 cristina_crow Fri, 29 Jan 2010 05:27:45 +0000 http://www.imacandi.net/windancer/?p=1577#comment-3566 @vmp: I will :D @vmp: I will :D

]]> By: vmp http://www.imacandi.net/windancer/2010/01/28/rsa-keypair-radius-and-stokeos-for-ikev2-eap-authentication.html/comment-page-1#comment-3558 vmp Thu, 28 Jan 2010 20:30:13 +0000 http://www.imacandi.net/windancer/?p=1577#comment-3558 Close enough :P We call mode-config "mode-config" because the name stuck from IKEv1 -- the IKEv2 literature AFAIK calls it "configuration [payload]"; no mode. The freeradius patch is to work around Stoke's inconsistent identities (which trip up a paranoia check). And it's the wrong way of doing it -- we should add a config option :) draft-eronen-ipsec-ikev2-eap-auth-07 is about allowing EAP in IKEv2 as the sole authentication method (as opposed to requiring the Responder to authenticate with certificates, which is what RFC4306 says). You were probably thinking of RFC5106. RFC4739 is not strictly about EAP; you could e.g. have two rounds of authentication with (different) certificates. RTFRFC, it has examples :D Close enough :P

We call mode-config “mode-config” because the name stuck from IKEv1 — the IKEv2 literature AFAIK calls it “configuration [payload]“; no mode.

The freeradius patch is to work around Stoke’s inconsistent identities (which trip up a paranoia check). And it’s the wrong way of doing it — we should add a config option :)

draft-eronen-ipsec-ikev2-eap-auth-07 is about allowing EAP in IKEv2 as the sole authentication method (as opposed to requiring the Responder to authenticate with certificates, which is what RFC4306 says). You were probably thinking of RFC5106.

RFC4739 is not strictly about EAP; you could e.g. have two rounds of authentication with (different) certificates. RTFRFC, it has examples :D

]]>