Hello, Yes, look at the page of the eap-radius plugin[1] for the strongSwan side. For the RADIUS server, consult the documentation of the software you chose to use or pay someone to do it for you, if it takes too long.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius On 14.06.2018 22:08, ccsalway wrote: > auth = mfa was me trying to explain that first a client will authenticate > with eap-tls and then with MFA (multi-factor authentication). > > Having never worked with a radius server, is there any good documentation of > using StrongSwan with Radius? > > >> On 14 Jun 2018, at 20:17, Noel Kuntze >> <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote: >> >> Hello, >> >> What do you mean to do with "auth = mfa"? mfa is not a known authentication >> type to upstream strongswan. >> Other than that, IKE is fully modular in this aspect. Just do it. It's >> probably useful to just delegate the authentication to a (free)radius AAA >> server, where you can then implement whatever you like with its >> configuration language. >> >> Kind regards >> >> Noel >> >> On 14.06.2018 20:06, ccsalway wrote: >>> Is there a way to have two factor authentication with the first being >>> certificate? >>> >>> Something like: >>> >>> connections { >>> ecdsa { >>> version = 2 >>> send_cert = always >>> encap = yes >>> unique = replace >>> proposals = aes256-sha256-prfsha256-ecp256-modp2048 >>> pools = pool1 >>> local { >>> id = vpnserver >>> certs = vpnserver.crt >>> } >>> remote { >>> auth = eap-tls >>> eap_id = %any >>> } >>> remote { >>> auth = mfa >>> eap_id = %any >>> } >>> } >>> >>> I doubt this is possible with the builtin windows or osx clients but maybe >>> with StrongSwan client? >> >
signature.asc
Description: OpenPGP digital signature
