[strongSwan] Google Scure LDAP and User-Password
Edward Newman
edward at digitalasset.com
Tue Feb 25 15:48:42 CET 2020
Interested to give my user singe sign-on via their Google account from strongswan. Trying to go down a path with freeradius but hitting a couple of issues.
What works:
- freeradius conects correct to Secure LDAP and can authenticate users via radclient
- strongswan can connect to free Radius and sends Authentication requests to service (seen in debug trace).
- Users are connectig to strongswan over IKEv2 road warrior connection (from macOS)
What seems to be failing:
- Strongswan does not seem to have a way to configure sending the User-Password attribute to radius (in cleartext)
- Secure LDAP requires the cleartext password to do LDAP bind (doesn;t support MSCHAPV2 or other non-password based authentication)
Questions:
- Can one set up Strongswan to forward password from user?
- If one uses a VPN with server side certificate and user auth then this feel like setting up a HTTPS web site with a username/password form directly to Internet. What stops any user connecting to IKEv2 and attempting brute force connections against a user account. Google Secure LDAP does not enforce 2FA over LDAP… :-(
What have I missed as options? Are there other better ways to get user-specific authentication to Google via strongswan?
--
This message, and any attachments, is for the intended recipient(s) only,
may contain information that is privileged, confidential and/or proprietary
and subject to important terms and conditions available at
http://www.digitalasset.com/emaildisclaimer.html
<http://www.digitalasset.com/emaildisclaimer.html>. If you are not the
intended recipient, please delete this message.
More information about the Users
mailing list