[strongSwan] MFA with EAP TLS
ccsalway
ccsalway at yahoo.co.uk
Thu Jun 14 22:08:14 CEST 2018
auth = mfa was me trying to explain that first a client will authenticate with eap-tls and then with MFA (multi-factor authentication).
Having never worked with a radius server, is there any good documentation of using StrongSwan with Radius?
> On 14 Jun 2018, at 20:17, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
> Hello,
>
> What do you mean to do with "auth = mfa"? mfa is not a known authentication type to upstream strongswan.
> Other than that, IKE is fully modular in this aspect. Just do it. It's probably useful to just delegate the authentication to a (free)radius AAA server, where you can then implement whatever you like with its configuration language.
>
> Kind regards
>
> Noel
>
> On 14.06.2018 20:06, ccsalway wrote:
>> Is there a way to have two factor authentication with the first being certificate?
>>
>> Something like:
>>
>> connections {
>> ecdsa {
>> version = 2
>> send_cert = always
>> encap = yes
>> unique = replace
>> proposals = aes256-sha256-prfsha256-ecp256-modp2048
>> pools = pool1
>> local {
>> id = vpnserver
>> certs = vpnserver.crt
>> }
>> remote {
>> auth = eap-tls
>> eap_id = %any
>> }
>> remote {
>> auth = mfa
>> eap_id = %any
>> }
>> }
>>
>> I doubt this is possible with the builtin windows or osx clients but maybe with StrongSwan client?
>
More information about the Users
mailing list