[strongSwan] MFA with EAP TLS

ccsalway ccsalway at yahoo.co.uk
Thu Jun 14 23:02:44 CEST 2018 

And how much would someone charge so I can run it by work?  We are basically looking for a proof of concept so we can take it to the client for financial approval.

> On 14 Jun 2018, at 21:13, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> 
> Hello,
> 
> Yes, look at the page of the eap-radius plugin[1] for the strongSwan side. For the RADIUS server, consult the documentation of the software you chose to use or pay someone to do it for you, if it takes too long.
> 
> Kind regards
> 
> Noel
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
> 
> On 14.06.2018 22:08, ccsalway wrote:
>> auth = mfa was me trying to explain that first a client will authenticate with eap-tls and then with MFA (multi-factor authentication).
>> 
>> Having never worked with a radius server, is there any good documentation of using StrongSwan with Radius?
>> 
>> 
>>> On 14 Jun 2018, at 20:17, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>> 
>>> Hello,
>>> 
>>> What do you mean to do with "auth = mfa"? mfa is not a known authentication type to upstream strongswan.
>>> Other than that, IKE is fully modular in this aspect. Just do it. It's probably useful to just delegate the authentication to a (free)radius AAA server, where you can then implement whatever you like with its configuration language.
>>> 
>>> Kind regards
>>> 
>>> Noel
>>> 
>>> On 14.06.2018 20:06, ccsalway wrote:
>>>> Is there a way to have two factor authentication with the first being certificate?
>>>> 
>>>> Something like:
>>>> 
>>>> connections {
>>>> ecdsa {
>>>>    version = 2
>>>>    send_cert = always
>>>>    encap = yes
>>>>    unique = replace
>>>>    proposals = aes256-sha256-prfsha256-ecp256-modp2048
>>>>    pools = pool1
>>>>    local {
>>>>       id = vpnserver
>>>>       certs = vpnserver.crt
>>>>    }
>>>>    remote {
>>>>       auth = eap-tls
>>>>       eap_id = %any
>>>>    }
>>>>    remote {
>>>>       auth = mfa
>>>>       eap_id = %any
>>>>    }
>>>> }
>>>> 
>>>> I doubt this is possible with the builtin windows or osx clients but maybe with StrongSwan client?
>>> 
>> 
>

More information about the Users mailing list