[strongSwan] IKEv2 + MFA with RADIUS

Tobias Brunner tobias at strongswan.org
Wed Jun 30 12:11:16 CEST 2021

Hi Mike,

> We have rightauth set to eap-radius, but I’m yet to find a way of 
> changing the EAP method.

That's the RADIUS server's job, so you should probably contact your 
provider.  It has to request the EAP method it requires to authenticate 
the clients (it's interesting that it starts with EAP-MD5).  However, if 
the client responds with an expanded Nak message, which lists the EAP 
methods it supports or wants to use, the server might not be able to 
initiate a method for which it actually supports MFA.  So depending on 
the client's supported EAP methods, this might not be possible at all.


More information about the Users mailing list