multiotp with strongswan has no (ms)-chap-challenge
Brian Julin
BJulin at clarku.edu
Fri Mar 16 17:06:45 CET 2018
karthik kumar <kumarkarthikn at gmail.com> wrote:
> I am setting up 2factor auth and we use Strongswan as our VPN server. I
> use FreeRADIUS as backend of Strongwan.
>
> This is the setup mac osx (ikev2 with eap-mschapv2) ---> Strongswan ---> FreeRADIUS -->
> multiotp
Speaking of this, how does this plumbing work (if it does).
AFAICT no VPN clients provide a way to integrate 2factor
prompts with IKEv2 (those that do, rely on IKEv1 XAuth).
At best you could pull it off with a password/username append
trick assuming FR had access to cleartext passwords, which,
if you are backed by AD, generally won't be the case.
...and trying to figure that out from the multiotp webpages is
like searching for a needle in a pile of glass, by hand.
More information about the Freeradius-Users
mailing list