[Openswan Users] Openswan with PAM/RADIUS
Jacco de Leeuw
jacco2 at dds.nl
Wed May 25 15:37:42 CEST 2005
Steve Voets wrote:
> I’m trying to configure Openswan 2.3.1 using RADIUS to authenticate
> roadwarriors
>
> on a separate windows server with active directory installed. So far I
> installed KLIPS and Pluto with support for XAUTH & PAM. Can anybody help
> me to configure this?
I assume your clients are running Windows. I can think of a couple of
methods to authenticate VPN users against Active Directory.
- XAUTH, where the password is looked up through a PAM plugin. This
requires (buying) a client that supports XAUTH. The README.XAUTH
also says: "We DO NOT RECOMMEND use of PAM, as it uses threads, and
does not do so in a safe manner".
- Windows XP and Windows 2000 support Kerberos authentication for IKE.
There is a RFC draft describing this but it has expired. Could be
Microsoft proprietary. This is not supported by Openswan.
- L2TP/IPsec with a group PSK or certificates for IPsec authentication,
and secondary user authentication through the RADIUS or Winbind plugin
for PPP.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list