[strongSwan] MFA with EAP TLS
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jun 14 22:13:19 CEST 2018
Hello,
Yes, look at the page of the eap-radius plugin[1] for the strongSwan side. For the RADIUS server, consult the documentation of the software you chose to use or pay someone to do it for you, if it takes too long.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
On 14.06.2018 22:08, ccsalway wrote:
> auth = mfa was me trying to explain that first a client will authenticate with eap-tls and then with MFA (multi-factor authentication).
>
> Having never worked with a radius server, is there any good documentation of using StrongSwan with Radius?
>
>
>> On 14 Jun 2018, at 20:17, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>
>> Hello,
>>
>> What do you mean to do with "auth = mfa"? mfa is not a known authentication type to upstream strongswan.
>> Other than that, IKE is fully modular in this aspect. Just do it. It's probably useful to just delegate the authentication to a (free)radius AAA server, where you can then implement whatever you like with its configuration language.
>>
>> Kind regards
>>
>> Noel
>>
>> On 14.06.2018 20:06, ccsalway wrote:
>>> Is there a way to have two factor authentication with the first being certificate?
>>>
>>> Something like:
>>>
>>> connections {
>>> ecdsa {
>>> version = 2
>>> send_cert = always
>>> encap = yes
>>> unique = replace
>>> proposals = aes256-sha256-prfsha256-ecp256-modp2048
>>> pools = pool1
>>> local {
>>> id = vpnserver
>>> certs = vpnserver.crt
>>> }
>>> remote {
>>> auth = eap-tls
>>> eap_id = %any
>>> }
>>> remote {
>>> auth = mfa
>>> eap_id = %any
>>> }
>>> }
>>>
>>> I doubt this is possible with the builtin windows or osx clients but maybe with StrongSwan client?
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180614/55f4ca20/attachment.sig>
More information about the Users
mailing list