Hi Karthik,
see below
On 3/4/18 1:23 PM, karthik kumar wrote:
Hi,
Is it possible to do two factor authentication with Mac OS X's
IKEv2 native client ? As far as I searched,
a) with strongswan client in osx its possible with eap-gtc and pam +
oath but native client leftauth is always eap-mschapv2 (also confirmed
here
<https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile#Authentication-options>)
b) as per this mail
<https://lists.strongswan.org/pipermail/users/2012-March/002656.html> its
not possible to combine mschapv2 with pam.
c) as per this explanation
<http://lists.freeradius.org/pipermail/freeradius-users/2016-June/083723.html> the
problem that needs to be solved is /HASH( pw+otp) != HASH(pw) + HASH
(otp). /I am not sure it can be done with strongswan
question:
a) on the server is there a way we can do two factor auth with
eap-mschapv2 ?
if you will find ways to transfer cleartext passwords from client
(impossible with with mschapv2), you can use eap-radius plugin to
forward requests to FreeRadius in order to do 2f auth, as explained here
http://www.supertechguy.com/help/security/freeradius-google-auth
or
b) on the osx native client is there a way we can use eap-gtc with
native client ?
it seems that native client support nothing except mschapv2
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
