Thanks Volodymyr. I tried with strongswan app https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX but "Currently supported are IKEv2 connections using EAP-MSCHAPv2 or EAP-MD5 client authentication"
Thanks On Sun, Mar 4, 2018 at 7:44 PM, Volodymyr Litovka <[email protected]> wrote: > Hi Karthik, > > see below > > On 3/4/18 1:23 PM, karthik kumar wrote: > > Hi, > Is it possible to do two factor authentication with Mac OS X's IKEv2 > native client ? As far as I searched, > > a) with strongswan client in osx its possible with eap-gtc and pam + oath > but native client leftauth is always eap-mschapv2 (also confirmed here > <https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile#Authentication-options> > ) > > b) as per this mail > <https://lists.strongswan.org/pipermail/users/2012-March/002656.html> its > not possible to combine mschapv2 with pam. > > c) as per this explanation > <http://lists.freeradius.org/pipermail/freeradius-users/2016-June/083723.html> > the > problem that needs to be solved is *HASH( pw+otp) != HASH(pw) + HASH > (otp). *I am not sure it can be done with strongswan > > question: > a) on the server is there a way we can do two factor auth with > eap-mschapv2 ? > > if you will find ways to transfer cleartext passwords from client > (impossible with with mschapv2), you can use eap-radius plugin to forward > requests to FreeRadius in order to do 2f auth, as explained here > http://www.supertechguy.com/help/security/freeradius-google-auth > > or > b) on the osx native client is there a way we can use eap-gtc with native > client ? > > it seems that native client support nothing except mschapv2 > > > -- > Volodymyr Litovka > "Vision without Execution is Hallucination." -- Thomas Edison > >
