[strongSwan] StronSwan 5.2.1, Authentication with Radius (multiple rounds RFC 4739)

Martin Willi martin at strongswan.org
Mon Mar 23 13:05:42 CET 2015


Hi Michael,

> 1. users should authenticate with a certificate (optional, but planned for the future) (Certificate is checked by StrongSwan)
> 2. users should authenticate against our active directory via freeRadius (username + password)
> 3. users should also enter an OTP (send as SMS by the radius) that is again checked by the freeRadius server.

> - Is it possible to configure StrongSwan in such a way?

Yes. The clean way would use RFC 4739 multiple authentication, where you
can define separate authentication rounds. The first would do
traditional IKE client certificate authentication, then you could use
one round of EAP password authentication, followed by another round of
EAP OTP authentication. You could also combine the latter two EAP
methods to one, where the user enters the password followed by token
into the same password field.

A different approach would use EAP-PEAP/TTLS, where the client
authenticates with a certificate in the outer EAP method, and uses
username/password for the inner method. Usually no client certificate
authentication is used in the outer method, though.

> - Does it work with the tools from Windows 7?

Most likely not. As the IKEv2 Agile VPN client does not support RFC
4739, that won't work.

The client can use PEAP (and TTLS with Windows 8), but I don't know
if/how it is possible to do certificate client authentication in the
outer method. Maybe it can be done if Windows finds an appropriate
certificate in one of its stores, but I've never tried that. The
verifier of PEAP would have to strictly require a client certificate,
which strongSwan does not by default.

> - Should I use the xauth section instead?

No, XAuth is IKEv1 only, unless you want to use a third party IKEv1
client.

> Is there an example for the multiple rounds authentication? The Wiki
> article about EAPRAdius does describe the multiple rounds feature but I
> do not know how to combine this with our freeRadius server.

The eap-radius plugin itself can do multiple rounds when using XAuth,
only. But you can use RFC 4739 to do multiple IKEv2 authentication
rounds involving EAP-RADIUS in one or more rounds.

Regards
Martin



More information about the Users mailing list