Discussion:
[strongSwan] MFA with EAP TLS
ccsalway
2018-06-14 18:06:05 UTC
Permalink
Is there a way to have two factor authentication with the first being certificate?

Something like:

connections {
ecdsa {
version = 2
send_cert = always
encap = yes
unique = replace
proposals = aes256-sha256-prfsha256-ecp256-modp2048
pools = pool1
local {
id = vpnserver
certs = vpnserver.crt
}
remote {
auth = eap-tls
eap_id = %any
}
remote {
auth = mfa
eap_id = %any
}
}

I doubt this is possible with the builtin windows or osx clients but maybe with StrongSwan client?
ccsalway
2018-06-14 20:08:14 UTC
Permalink
auth = mfa was me trying to explain that first a client will authenticate with eap-tls and then with MFA (multi-factor authentication).

Having never worked with a radius server, is there any good documentation of using StrongSwan with Radius?
Hello,
What do you mean to do with "auth = mfa"? mfa is not a known authentication type to upstream strongswan.
Other than that, IKE is fully modular in this aspect. Just do it. It's probably useful to just delegate the authentication to a (free)radius AAA server, where you can then implement whatever you like with its configuration language.
Kind regards
Noel
Post by ccsalway
Is there a way to have two factor authentication with the first being certificate?
connections {
ecdsa {
version = 2
send_cert = always
encap = yes
unique = replace
proposals = aes256-sha256-prfsha256-ecp256-modp2048
pools = pool1
local {
id = vpnserver
certs = vpnserver.crt
}
remote {
auth = eap-tls
eap_id = %any
}
remote {
auth = mfa
eap_id = %any
}
}
I doubt this is possible with the builtin windows or osx clients but maybe with StrongSwan client?
ccsalway
2018-06-14 21:02:44 UTC
Permalink
And how much would someone charge so I can run it by work? We are basically looking for a proof of concept so we can take it to the client for financial approval.
Hello,
Yes, look at the page of the eap-radius plugin[1] for the strongSwan side. For the RADIUS server, consult the documentation of the software you chose to use or pay someone to do it for you, if it takes too long.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
Post by ccsalway
auth = mfa was me trying to explain that first a client will authenticate with eap-tls and then with MFA (multi-factor authentication).
Having never worked with a radius server, is there any good documentation of using StrongSwan with Radius?
Hello,
What do you mean to do with "auth = mfa"? mfa is not a known authentication type to upstream strongswan.
Other than that, IKE is fully modular in this aspect. Just do it. It's probably useful to just delegate the authentication to a (free)radius AAA server, where you can then implement whatever you like with its configuration language.
Kind regards
Noel
Post by ccsalway
Is there a way to have two factor authentication with the first being certificate?
connections {
ecdsa {
version = 2
send_cert = always
encap = yes
unique = replace
proposals = aes256-sha256-prfsha256-ecp256-modp2048
pools = pool1
local {
id = vpnserver
certs = vpnserver.crt
}
remote {
auth = eap-tls
eap_id = %any
}
remote {
auth = mfa
eap_id = %any
}
}
I doubt this is possible with the builtin windows or osx clients but maybe with StrongSwan client?
Loading...