0

I have a Linux server and a need to connect to its network remotely from Windows 10 and Android clients. Is it possible to set the server up so that clients can authenticate against the user accounts on the Linux machine with usernames ans passwords?

I would like to use IKEv2 for this, but that is not necessary if there's a better solution. I have already tried setting up strongSwan and was successful using client certificates. I also managed to get freeRadius to authenticate against /etc/passwd, but could not get the username and password to be passed through from strongSwan to freeRadius. Is this the right way to go about it?

I will update this question if/when suggestions are made.

Steve
  • 590
  • 4
  • 8

1 Answers1

2

The problem is that most EAP methods that use username/password will not transmit plaintext passwords. Instead they use some kind of challenge/response protocol with some hash/encryption calculated by both client and server, which usually requires that the server already possesses the plaintext password (unless the method is based on zero-knowledge password proofs), not a hashed version of it as stored in /etc/passwd.

The only method strongSwan supports that uses plaintext passwords is EAP-GTC, but client support is limited (I also don't know if it works with FreeRADIUS, but strongSwan could directly interact with PAM). Basically, only strongSwan uses it this way, so Android with the strongSwan app will work fine, but Windows does not support this method.

ecdsa
  • 3,973
  • 15
  • 29
  • That's pretty much where I got to before. I believe freeRadius does support EAP-GTC but as you say, Windows does not. – Steve Mar 01 '18 at 20:41