strongSwan

What kind of support do you need for LDAP? I think plugging eap-radius into freeradius and that into LDAP might work.

BTW: If you need custom plugin development, you need send an email to Andreas.

Noel Kuntze wrote:

What kind of support do you need for LDAP? I think plugging eap-radius into freeradius and that into LDAP might work.

BTW: If you need custom plugin development, you need send an email to Andreas.

I'm interested in how to authenticate by username/password using LDAP v3 (openldap, samba-ad-dc, 389 Directory Server and etc). For example, openvpn supports this type of authenification.
(Https://openvpn.net/index.php/access-server/docs/admin-guides/190-how-to-authenticate-users-with-active-directory.html)

Preferably, IKEv2 should be used as natively supported on all platforms (android is exception - we can use strongswan client for android)

Regarding freeradius.
Despite the large amount of examples on your website, no specific guidance was ever found. Setup environment within freeradius is not possible: https://lists.strongswan.org/pipermail/users/2016-December/010322.html

Additionally, I raised some questions to the libreswan/openswan community:

Https://lists.libreswan.org/pipermail/swan/2016/001937.html
Https://lists.openswan.org/pipermail/users/2016-December/023671.html

In addition, questions about the integration of LDAP + strongswan were earlier as well:
Https://lists.strongswan.org/pipermail/users/2014-December/007163.html
Http://marc.info/?l=pfsense-discussion&m=144602045807665&w=2

Tobias Brunner wrote:

For most username/password-based EAP methods the server must have access to the plaintext password as these use challenge/response schemes, so the password is never actually transmitted from the client to the server (EAP-GTC is the only one strongSwan supports where that's not the case, but none of the common client implementations support this). So you need to get your LDAP server to provide the plaintext passwords to the server that terminates the EAP authentication (e.g. FreeRADIUS) via an LDAP admin account (it also means that the LDAP server has to store the passwords in plaintext, it can't store them in salted/hashed form - and you should probably use TLS between RADIUS and LDAP server). If that's the case you should be able to use FreeRADIUS with e.g. EAP-MD5 or EAP-MSCHAPv2 and use the eap-radius plugin in strongSwan (see e.g. this thread on the FreeRADIUS list and this FAQ entry on the rlm_eap page).

Additionally, I raised some questions to the libreswan/openswan community:

These projects are not related to strongSwan anymore (they share no code at all).

Thank you very much Tobias! I will try configure with your recomendations.

Hello dear developers!
Not the way to connect it with LDAP . But it works well through freeradius -> mysql.
I would like to thank your team for such product as strongswan, good documentation and lightning support. Thank you!