[strongSwan] Google Scure LDAP and User-Password
Tobias Brunner
tobias at strongswan.org
Fri Feb 28 15:18:23 CET 2020
Hi Edward,
> - Can one set up Strongswan to forward password from user?
Only via EAP-GTC [1] are cleartext passwords from the client available.
Practically no clients other than strongSwan support this.
If you find an IKEv2 client that supports EAP-TTLS/PAP (strongSwan
itself does not), it might work too if you configure FreeRADIUS
appropriately.
> - What stops any user connecting to IKEv2 and attempting brute force connections against a user account.
Nothing really but strong passwords. Perhaps you could implement some
kind of delay on the RADIUS/LDAP server, or limit the number of login
attempts per username and minute to make such attacks more difficult.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/eap-gtc
More information about the Users
mailing list