[strongSwan] StronSwan 5.2.1, Authentication with Radius (multiple rounds RFC 4739)
Köster, Michael
Michael.Koester at funkemedien.de
Mon Mar 23 11:25:45 CET 2015
Dear all,
I'd like to set up a strongSwan VPN with the following authentication procedure:
1. users should authenticate with a certificate (optional, but planned for the future) (Certificate is checked by StrongSwan)
2. users should authenticate against our active directory via freeRadius (username + password)
3. users should also enter an OTP (send as SMS by the radius) that is again checked by the freeRadius server.
Additionally, I'd like to avoid any additional client software, i.e., I would rather stick to the Windows 7 Agile-VPN feature.
Already working:
- FreeRadius + SMSOTP (without StrongSwan)
- FreeRadius + Usernname + Password (mschapv2) (without StrongSwan)
- StrongSwan with Openssl Certificates
Thus I tried the eap-radius module but without success (inspired by the "mult-auth-rsa-eap-sim-id" example) as well as the other radius-examples.
So my questions are:
- Is it possible to configure StrongSwan in such a way?
- Does it work with the tools from Windows 7?
- Should I use the xauth section instead? Is there an example for the multiple rounds authentication? The Wiki article about EAPRAdius does describe the multiple rounds feature but I do not know how to combine this with our freeRadius server.
Thanks in advance for your help.
Michael Köster
--
Organisation / EDV
Infrastruktur + Produktionssysteme
FUNKE SERVICE GmbH
Hintern Brüdern 23, 38100 Braunschweig
Telefon: +49 531 3900 224
Fax: +49 531 3900 148
E-Mail: michael.koester at funkemedien.de
Internet: www.funkemedien.de
____________________________________________________
FUNKE SERVICE GmbH, Essen
eingetragen im Amtsgericht Essen HRB 23241
Geschäftsführer: Michael Kurowski, Michael Wüller
More information about the Users
mailing list