Tuesday, February 28, 2023

Authentication in OpenIKED

Hello,

I have a question regarding authentication options in OpenIKED on
OpenBSD 7.2

On my test lab I have one OpenBSD 7.2 machine with OpenIKED configured
to use PSK and a macOS 13.2.1 client that can connect to it.

I read in: man iked.conf that PSK should not be used, so I am now
investigating EAP with MSCHAP-V2 and X.509 certificate authentication,
but I am confused as to which is more secure.

It seems to me that if I use EAP with MSCHAP-V2, I need a certificate on
the OpenBSD machine, but I can connect from the macOS client with a user
name and password, whereas X.509 authentication requires an X.509
certificate on *BOTH* client and server - is that correct ?

If it is, is the reason that X.509 authentication is more secure because
of the two certificates required, whereas authentication with EAP with
MSCHAP-V2 is less secure because only one certificate is required ?

Thanks,

- J

No comments:

Post a Comment