[strongSwan] ike2/mobike with mschapv2 against PAM?

Martin Willi martin at strongswan.org
Mon Mar 5 08:56:26 CET 2012

Hi Kimmo,

> Is there any way to use PAM, radius, ldap or anything else than
> ipsec.secrets to authenticate users when using mschapv2?

EAP-MSCHAPv2 does not transmit the password in the clear, hence using it
for PAM does not work. We have a EAP-GTC plugin that authenticates user
against PAM, but you'd need the same plugin on your Windows clients
(Microsoft does not ship one).

Our EAP-RADIUS plugin can forward any EAP method over RADIUS to a
backend server. You'd need a RADIUS server with EAP-MSCHAPv2 support,
FreeRADIUS and Microsofts NPS are known to work fine.


More information about the Users mailing list