And how much would someone charge so I can run it by work? We are basically looking for a proof of concept so we can take it to the client for financial approval.
> On 14 Jun 2018, at 21:13, Noel Kuntze > <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote: > > Hello, > > Yes, look at the page of the eap-radius plugin[1] for the strongSwan side. > For the RADIUS server, consult the documentation of the software you chose to > use or pay someone to do it for you, if it takes too long. > > Kind regards > > Noel > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius > > On 14.06.2018 22:08, ccsalway wrote: >> auth = mfa was me trying to explain that first a client will authenticate >> with eap-tls and then with MFA (multi-factor authentication). >> >> Having never worked with a radius server, is there any good documentation of >> using StrongSwan with Radius? >> >> >>> On 14 Jun 2018, at 20:17, Noel Kuntze >>> <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote: >>> >>> Hello, >>> >>> What do you mean to do with "auth = mfa"? mfa is not a known authentication >>> type to upstream strongswan. >>> Other than that, IKE is fully modular in this aspect. Just do it. It's >>> probably useful to just delegate the authentication to a (free)radius AAA >>> server, where you can then implement whatever you like with its >>> configuration language. >>> >>> Kind regards >>> >>> Noel >>> >>> On 14.06.2018 20:06, ccsalway wrote: >>>> Is there a way to have two factor authentication with the first being >>>> certificate? >>>> >>>> Something like: >>>> >>>> connections { >>>> ecdsa { >>>> version = 2 >>>> send_cert = always >>>> encap = yes >>>> unique = replace >>>> proposals = aes256-sha256-prfsha256-ecp256-modp2048 >>>> pools = pool1 >>>> local { >>>> id = vpnserver >>>> certs = vpnserver.crt >>>> } >>>> remote { >>>> auth = eap-tls >>>> eap_id = %any >>>> } >>>> remote { >>>> auth = mfa >>>> eap_id = %any >>>> } >>>> } >>>> >>>> I doubt this is possible with the builtin windows or osx clients but maybe >>>> with StrongSwan client? >>> >> >