[strongSwan] 2 factor in mac os x with native ikev2

karthik kumar kumarkarthikn at gmail.com
Sun Mar 4 16:56:25 CET 2018


Thanks Volodymyr.
I tried with strongswan app
https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX but "Currently
supported are IKEv2 connections using EAP-MSCHAPv2 or EAP-MD5 client
authentication"


Thanks

On Sun, Mar 4, 2018 at 7:44 PM, Volodymyr Litovka <doka.ua at gmx.com> wrote:

> Hi Karthik,
>
> see below
>
> On 3/4/18 1:23 PM, karthik kumar wrote:
>
> Hi,
>    Is it possible to do two factor authentication with Mac OS X's IKEv2
> native client ? As far as I searched,
>
> a) with strongswan client in osx its possible with eap-gtc and pam + oath
> but native client leftauth is always eap-mschapv2 (also confirmed here
> <https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile#Authentication-options>
> )
>
> b) as per this mail
> <https://lists.strongswan.org/pipermail/users/2012-March/002656.html> its
> not possible to combine mschapv2 with pam.
>
> c) as per this explanation
> <http://lists.freeradius.org/pipermail/freeradius-users/2016-June/083723.html> the
> problem that needs to be solved is *HASH( pw+otp) != HASH(pw) + HASH
> (otp). *I am not sure it can be done with strongswan
>
> question:
> a) on the server is there a way we can do two factor auth with
> eap-mschapv2 ?
>
> if you will find ways to transfer cleartext passwords from client
> (impossible with with mschapv2), you can use eap-radius plugin to forward
> requests to FreeRadius in order to do 2f auth, as explained here
> http://www.supertechguy.com/help/security/freeradius-google-auth
>
> or
> b) on the osx native client is there a way we can use eap-gtc with native
> client ?
>
> it seems that native client support nothing except mschapv2
>
>
> --
> Volodymyr Litovka
>   "Vision without Execution is Hallucination." -- Thomas Edison
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180304/0ffef312/attachment.html>


More information about the Users mailing list