<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Karthik,<br>
<br>
see below<br>
<br>
<div class="moz-cite-prefix">On 3/4/18 1:23 PM, karthik kumar wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAK+ZqRpooTWrFvTS2Hp1FoUHMwacUtPEycT4mm_Gfau3bgQzDQ@mail.gmail.com">
<div dir="ltr">Hi,
<div> Is it possible to do two factor authentication with Mac
OS X's IKEv2 native client ? As far as I searched, </div>
<div><br>
</div>
<div>a) with strongswan client in osx its possible with eap-gtc
and pam + oath but native client leftauth is always
eap-mschapv2 (also confirmed <a
href="https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile#Authentication-options"
moz-do-not-send="true">here</a>)</div>
<div><br>
</div>
<div>b) as per <a
href="https://lists.strongswan.org/pipermail/users/2012-March/002656.html"
moz-do-not-send="true">this mail</a> its not possible to
combine <span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">mschapv2
with pam.</span></div>
<div><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br>
</span></div>
<div><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">c)
as per <a
href="http://lists.freeradius.org/pipermail/freeradius-users/2016-June/083723.html"
moz-do-not-send="true">this explanation</a> the problem
that needs to be solved is </span><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><i>HASH(
pw+otp) != HASH(pw) + HASH (otp). </i>I am not sure it
can be done with strongswan</span></div>
<div><br>
</div>
<div>question:</div>
<div>a) on the server is there a way we can do two factor auth
with eap-mschapv2 ? <br>
</div>
</div>
</blockquote>
if you will find ways to transfer cleartext passwords from client
(impossible with with mschapv2), you can use eap-radius plugin to
forward requests to FreeRadius in order to do 2f auth, as explained
here
<a class="moz-txt-link-freetext" href="http://www.supertechguy.com/help/security/freeradius-google-auth">http://www.supertechguy.com/help/security/freeradius-google-auth</a> <br>
<br>
<blockquote type="cite"
cite="mid:CAK+ZqRpooTWrFvTS2Hp1FoUHMwacUtPEycT4mm_Gfau3bgQzDQ@mail.gmail.com">
<div dir="ltr">
<div>or</div>
<div>b) on the osx native client is there a way we can use
eap-gtc with native client ?</div>
</div>
</blockquote>
it seems that native client support nothing except mschapv2<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>