Discussion:
[strongSwan] Multi rounds
Christian Salway
2018-07-10 05:18:14 UTC
Permalink
You say on [1] that "The native iOS and OS X clients are known to work fine with multiple authentication rounds.", yet I have the server configured with multiple rounds using xauth but OSX is only requesting EAP

connections {
radius {
version = 2
send_cert = always
encap = yes
pools = pool1
unique = replace
proposals = aes256-sha256-prfsha256-ecp256-modp2048
local {
id = vpnserver
certs = vpnserver.crt
}
remote {
auth = xauth-radius:passandcode
}
children {
net {
local_ts = 172.31.0.0/16
}
}
}
}
eap-radius {
load = yes
accounting = yes
nas_identifier = vpn-pod1
servers {
primary {
address = 172.31.19.90 # TODO: change to DNS
secret = KFdHr0sgw$kOfFgh # /etc/freeradius/clients.conf
}
}
xauth {
passandcode {
password = Please enter your Password:
passcode = Please enter current authenticator token code:
}
}
}

10[CFG] selected peer config 'radius'
10[IKE] peer requested EAP, config inacceptable
10[CFG] no alternative config found
10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
10[IKE] peer supports MOBIKE
10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]





[1] https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Arbitrary-RADIUS-attribute-forwarding <https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Arbitrary-RADIUS-attribute-forwarding>
Tobias Brunner
2018-07-10 08:40:14 UTC
Permalink
Hi Christian,
Post by Christian Salway
You say on [1] that "The native iOS and OS X clients are known to work
fine with multiple authentication rounds.", yet I have the server
configured with multiple rounds using xauth but OSX is only requesting EAP
XAuth is only for IKEv1
EAP is only for IKEv2 (unless the xauth-eap plugin is used)

So if you use IKEv2 you can ignore that whole XAuth section (including
the multiple rounds subsection) in the description of the eap-radius plugin.

Regards,
Tobias
Christian Salway
2018-07-10 13:42:40 UTC
Permalink
Thanks for the explanation, Tobias.

I looking at using Duo for the MFA now. Don't think it's possible with strongSwan and {radius, AD} and native OSX, Win VPN's to have MFA.


Kind regards,

Christian Salway
IT Consultant - Naimuri

T: +44 7463 331432
E: ***@naimuri.com
A: Naimuri Ltd, Capstan House, Manchester M50 2UW
Post by Tobias Brunner
Hi Christian,
Post by Christian Salway
You say on [1] that "The native iOS and OS X clients are known to work
fine with multiple authentication rounds.", yet I have the server
configured with multiple rounds using xauth but OSX is only requesting EAP
XAuth is only for IKEv1
EAP is only for IKEv2 (unless the xauth-eap plugin is used)
So if you use IKEv2 you can ignore that whole XAuth section (including
the multiple rounds subsection) in the description of the eap-radius plugin.
Regards,
Tobias
Loading...