I wrote: Because the built-in list of "Remote Dial-in users" is now part of the mechanism, you can no longer use Radius for authentication (at least I can't see how).

I thought I'd better correct myself (again) :oops:

I wrote the above, partly because it didn't seem to work...but it turns out it can be made to work, just not as reliably as using a 'built-in' 'Remote Dial-in User' account. Mainly, this a timing issue, possibly with my phone. Looking at Syslog, I can see it's sometimes still working after the phone has given in.

There is also the caveat, that an Internal user (even if just a 'stub' entry) has to exist, that references the matching Peer ID.

I'd assumed that when you use a certificate, it had to go to the internal list of users, find the Peer Id and then check the certificate against it. In fact, what it does, is check the certificate against each 'Peer Id' entry in turn, until/if it finds a match. This is authentication of the IPsec part of the connection. Only if L2TP is being used, does it do the Username/Password checking - which can indeed be done via Radius.

I found a bug / strange behaviour though: Having matched the Peer ID, the 2860 looks for the first internal user that references it. It then reports that user as being authenticated (for IPSec). If more than one user references the same Peer ID, it can easily misreport it, because of this algorithm. I've not worked out why it doesn't just report the Peer ID, rather than trying to fabricate a username to go with it.

One reason might be, is because if it matches a Peer ID, but no referencing user exists in the internal list of Remote Dial-in Users, it will not authenticate IPSec and it will not use Radius to check the Username/Password for L2TP...

The manual mentions none of this

hornbyp wrote:

I wrote:

The manual mentions none of this

lol, the manual is kind of lacking about different VPN configurations I'm going to try and set up Radius, seems like a good method and a interesting to play around with

I foolishly wrote: You cannot use the 2860's built-in Root Certificate Authority (CA). Although you can create certificates, you cannot export their private keys. So these certificates are effectively issued only to the Router.

I was right about about not being able to use it - but wrong about the reason.

The "Generate" option under Certificate Management >> Local Certificate does not generate a Certificate - it generates a Request for a Certificate; the idea being to cut and paste the request from the screen into a file, which you then take to your friendly Certificate Authority to have made into a certificate. When you import it back into the 2860, it marries up the request with the certificate - and now, when you view it, you see a certificate - not a 'request'. (If you've set up a Root CA on the 2860, you can sign it there and then - it's still a certificate for the 2860 itself to use though)