[strongSwan] Any working two-factor authentication with Windows?

Martin Willi martin at strongswan.org
Mon Jun 29 09:15:27 CEST 2015


> I would like to know if there exist any two-factor combination where
> one of them is RADIUS, either IKEv1 or IKEv2, which works with Windows
> (Win7 and above) native VPN client.

AFAIK Windows does not support RFC4739. In IKEv1 there is a proprietary
extension called AuthIP in Windows, but we don't support that.

> What are our options for multi-factor authentication with Strongswan
> server and Windows client?

I'm not aware of a way to use both client certificates and password
authentication with the Windows Agile IKEv2 client.

A practical solution without client certificates is to use a password +
HOTP/TOTP. You could use EAP-MSCHAPv2 for example, but enter both the
password concatenated with the token into the password field. On the AAA
there are solutions that can handle this kind of authentication scheme.


More information about the Users mailing list