<div dir="ltr">Thanks Volodymyr. <div>I tried with strongswan app <a href="https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX">https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX</a> but "<span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px">Currently supported are IKEv2 connections using EAP-MSCHAPv2 or EAP-MD5 client authentication"</span></div><div><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px"><br></span></div><div><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px"><br></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Thanks</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Mar 4, 2018 at 7:44 PM, Volodymyr Litovka <span dir="ltr"><<a href="mailto:doka.ua@gmx.com" target="_blank">doka.ua@gmx.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi Karthik,<br>
<br>
see below<span class=""><br>
<br>
<div class="m_-7706713929163429604moz-cite-prefix">On 3/4/18 1:23 PM, karthik kumar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div> Is it possible to do two factor authentication with Mac
OS X's IKEv2 native client ? As far as I searched, </div>
<div><br>
</div>
<div>a) with strongswan client in osx its possible with eap-gtc
and pam + oath but native client leftauth is always
eap-mschapv2 (also confirmed <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile#Authentication-options" target="_blank">here</a>)</div>
<div><br>
</div>
<div>b) as per <a href="https://lists.strongswan.org/pipermail/users/2012-March/002656.html" target="_blank">this mail</a> its not possible to
combine <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">mschapv2
with pam.</span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br>
</span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">c)
as per <a href="http://lists.freeradius.org/pipermail/freeradius-users/2016-June/083723.html" target="_blank">this explanation</a> the problem
that needs to be solved is </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><i>HASH(
pw+otp) != HASH(pw) + HASH (otp). </i>I am not sure it
can be done with strongswan</span></div>
<div><br>
</div>
<div>question:</div>
<div>a) on the server is there a way we can do two factor auth
with eap-mschapv2 ? <br>
</div>
</div>
</blockquote></span>
if you will find ways to transfer cleartext passwords from client
(impossible with with mschapv2), you can use eap-radius plugin to
forward requests to FreeRadius in order to do 2f auth, as explained
here
<a class="m_-7706713929163429604moz-txt-link-freetext" href="http://www.supertechguy.com/help/security/freeradius-google-auth" target="_blank">http://www.supertechguy.com/<wbr>help/security/freeradius-<wbr>google-auth</a> <br><span class="">
<br>
<blockquote type="cite">
<div dir="ltr">
<div>or</div>
<div>b) on the osx native client is there a way we can use
eap-gtc with native client ?</div>
</div>
</blockquote></span>
it seems that native client support nothing except mschapv2<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
<pre class="m_-7706713929163429604moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</font></span></div>
</blockquote></div><br></div>