Friday, March 2, 2018

IKEv2 for Native Clients (Win10, iOS, OSX, Android)

I am developing a VPN solution that leverages the native client built-in to all the modern operating systems. My VPN server is a FortiGate, and I am trying to authenticate against a Cisco ACS RADIUS server. I want to use username/password auth for now, no identity certs. The VPN server and RADIUS server have certs issued from our internal PKI.

Right now, I have Windows 10 clients working as expected. The only cert I have on the client is the root ca in the trusted root store. Apple clients, not so much. They fail right away. Now if I change the auth locally to the VPN server, Apple clients can connect. The error that I see on the RADIUS server is that the EAP method the client is sending is not accepted (EAP-MSCHAP). When I look at the logs for the Windows clients, I see that they are using EAP-PEAP as the EAP method. From Apple's documentation (https://help.apple.com/deployment/ios/#/ior0f9aea818), the clients support EAP-PEAP, EAP-TLS, and EAP-MSCHAPv2.

So my question to my favorite subreddit is:

Does anyone have native iOS/OSX clients connecting to an IKEv2 VPN using EAP-PEAP with only a username/password (no identity/device cert)? If so, what should my .mobileconfig look like for this to work?



No comments:

Post a Comment