Freeradius and 2 Factor Authentication

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Jun 2 21:58:53 CEST 2016


> On Jun 2, 2016, at 3:44 PM, Aaron Smith <Aaron.Smith at kzoo.edu> wrote:
> 
> Well at least I was able to research the issue correctly!  To be clear, I'm not looking to find a way to make MSchapv2 to work.  The end goal is to have a VPN solution that would allow Windows, Mac, and iOS users to connect securely, with a minimum of fuss.  Tall order I know.  :)  I was looking at IKEv2 as it seemed to be supported natively on at least Windows and iOS, but windows clients insisted on using EAP-MSChapv2

Windows 10 should do TTLS.

> for it.  I suspect iOS does the same.

No, IOS supports EAP-TLS, EAP-PEAP, EAP-TTLS.

>  SSTP works great for windows clients (and can do PAP), and I've heard rumors of third party clients for MAC OS, but I'm coming up empty on iOS clients that do SSTP.  OPenVPN is a possible alternative, but the certificate aspect sounds like a management nightmare.

IKEv2 based solutions are your best bet.

> We actually have a commercial OTP solution via SafeNet, but it's a bit long in the tooth and also only supports PAP.  However, I opened a ticket today and their newer versions actually support MSChapv2 so that might be the way to go if converting our token licenses isn't too ridiculous in cost.

Anything that'll give you the plaintext password from the OTP server back will work with MSCHAPv2.

-Arran

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160602/fa2701a0/attachment.sig>


More information about the Freeradius-Users mailing list