[strongSwan] MFA with EAP TLS
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jun 14 21:17:34 CEST 2018
Hello,
What do you mean to do with "auth = mfa"? mfa is not a known authentication type to upstream strongswan.
Other than that, IKE is fully modular in this aspect. Just do it. It's probably useful to just delegate the authentication to a (free)radius AAA server, where you can then implement whatever you like with its configuration language.
Kind regards
Noel
On 14.06.2018 20:06, ccsalway wrote:
> Is there a way to have two factor authentication with the first being certificate?
>
> Something like:
>
> connections {
> ecdsa {
> version = 2
> send_cert = always
> encap = yes
> unique = replace
> proposals = aes256-sha256-prfsha256-ecp256-modp2048
> pools = pool1
> local {
> id = vpnserver
> certs = vpnserver.crt
> }
> remote {
> auth = eap-tls
> eap_id = %any
> }
> remote {
> auth = mfa
> eap_id = %any
> }
> }
>
> I doubt this is possible with the builtin windows or osx clients but maybe with StrongSwan client?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180614/034c07ab/attachment-0001.sig>
More information about the Users
mailing list