multiotp with strongswan has no (ms)-chap-challenge

Brian Julin BJulin at
Fri Mar 16 17:06:45 CET 2018

karthik kumar <kumarkarthikn at> wrote:

>  I am setting up 2factor auth and we use Strongswan as our VPN server. I
> use FreeRADIUS as backend of Strongwan.
> This is the setup mac osx (ikev2 with eap-mschapv2)  ---> Strongswan ---> FreeRADIUS -->
> multiotp

Speaking of this, how does this plumbing work (if it does).
AFAICT no VPN clients provide a way to integrate 2factor
prompts with IKEv2 (those that do, rely on IKEv1 XAuth).
At best you could pull it off with a password/username append
trick assuming FR had access to cleartext passwords, which,
if you are backed by AD, generally won't be the case.

...and trying to figure that out from the multiotp webpages is
like searching for a needle in a pile of glass, by hand.

More information about the Freeradius-Users mailing list