<div dir="ltr">Hi, <div>   Is it possible to do two factor authentication with Mac OS X's IKEv2 native client ? As far as I searched, </div><div><br></div><div>a) with strongswan client in osx its possible with eap-gtc and pam + oath but native client leftauth is always eap-mschapv2 (also confirmed <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile#Authentication-options">here</a>)</div><div><br></div><div>b) as per <a href="https://lists.strongswan.org/pipermail/users/2012-March/002656.html">this mail</a> its not possible to combine <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">mschapv2 with pam.</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">c) as per <a href="http://lists.freeradius.org/pipermail/freeradius-users/2016-June/083723.html">this explanation</a> the problem that needs to be solved is </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><i>HASH( pw+otp) != HASH(pw) + HASH (otp). </i>I am not sure it can be done with strongswan</span></div><div><br></div><div>question:</div><div>a) on the server is there a way we can do two factor auth with eap-mschapv2 ? </div><div>or</div><div>b) on the osx native client is there a way we can use eap-gtc with native client ?</div><div><br></div><div><br></div><div>Thanks</div></div>