multiotp with strongswan has no (ms)-chap-challenge

Phil Frost phil at
Fri Mar 16 15:11:54 CET 2018

When strongswan is configured to use the eap-radius plugin, there is no
additional configuration for strongswan to indicate what EAP method should
be used. Please excuse my ignorance as I'm still learning these things, but
isn't the EAP protocol initiated by the authenticator, in this case
strongswan, and by proxy, freeradius?

>From RFC 5996 (IKEv2), section 2.16:

An initiator indicates a desire to use EAP by leaving out the AUTH payload
from the first message in the IKE_AUTH exchange. (Note that the AUTH
payload is required for non-EAP authentication, and is thus not marked as
optional in the rest of this document.) By including an IDi payload but not
an AUTH payload, the initiator has declared an identity but has not proven
it.  If the responder is willing to use an EAP method, it will place an
Extensible Authentication Protocol (EAP) payload in the response of the
IKE_AUTH exchange and defer sending SAr2, TSi, and TSr until initiator
authentication is complete in a subsequent IKE_AUTH exchange.

>From what I can gather from the logs and packet captures, at this point
strongswan sends an Access-Request to freeradius containing the identity
but no credentials (because they don't yet exist). It's reasonable to then
wonder if it's now the responsibility of freeradius to initiate the EAP
exchange and request the peer to provide the necessary credentials.

Is this not the case? Again please excuse the ignorance -- between IKEv2,
RADIUS, EAP, all the various EAP methods, strongswan, freeradius, and each
their myriad plugins, it's quite difficult to even understand how these
protocols should be working together. Even just a quick example of a
working integration between strongswan and freeradius from someone who has
done it before would be very valuable.

On Fri, Mar 16, 2018 at 9:29 AM Alan DeKok <aland at>

> On Mar 16, 2018, at 5:10 AM, karthik kumar <kumarkarthikn at>
> wrote:
> >  I am setting up 2factor auth and we use Strongswan as our VPN server. I
> > use FreeRADIUS as backend of Strongwan.
> >
> > This is the setup
> > mac osx (ikev2 with eap-mschapv2)  ---> Strongswan ---> FreeRADIUS -->
> > multiotp
> >
> > First I tried with clear text password in /etc/raddb/users and it is
> > successful. For 2factor I need to pair it with multiOTP. I followed the
> doc
> >
> > ...
> > But when I use Strongswan, there is no MS-CHAP-Challenge (i tried with
> > %{mschap:Challenge})
>   Then fix Strongswan so that it sends the MS-CHAP-Challenge.
>   No amount of poking FreeRADIUS will magically create that attribute.
> Only Strongswan can do that.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list