[strongSwan] Google Scure LDAP and User-Password

Edward Newman edward at digitalasset.com
Fri Feb 28 15:44:19 CET 2020

Interested to give my user singe sign-on via their Google account from strongswan. Trying to go down a path with freeradius but hitting a couple of issues.

What works:

- freeradius conects correct to Secure LDAP and can authenticate users via radclient
- strongswan can connect to free Radius and sends Authentication requests to service (seen in debug trace).
- Users are connectig to strongswan over IKEv2 road warrior connection (from macOS)

What seems to be failing:

- Strongswan does not seem to have a way to configure sending the User-Password attribute to radius (in cleartext)
- Secure LDAP requires the cleartext password to do LDAP bind (doesn;t support MSCHAPV2 or other non-password based authentication)


- Can one set up Strongswan to forward password from user?
- If one uses a VPN with server side certificate and user auth then this feel like setting up a HTTPS web site with a username/password form directly to Internet. What stops any user connecting to IKEv2 and attempting brute force connections against a user account. Google Secure LDAP does not enforce 2FA over LDAP… :-( 

What have I missed as options? Are there other better ways to get user-specific authentication to Google via strongswan?
This message, and any attachments, is for the intended recipient(s) only, 
may contain information that is privileged, confidential and/or proprietary 
and subject to important terms and conditions available at 
<http://www.digitalasset.com/emaildisclaimer.html>. If you are not the 
intended recipient, please delete this message.

More information about the Users mailing list