Mobile clients with OTP
pama last edited by
I have successfully configured my pfsense for IPsec mobile client with IKEv2 and local radius auth.
I have set up two users, one with username and password, the other with username and OTP via Google Authenticator.
The test login works like a charm for both of them.
Strongswan client from Android can connect only with the user with password, while with OTP I can log only
radiusd 14913 (4) Login incorrect (Failed retrieving values required to evaluate condition): [username] (from client local port 4 cli <IP>)
nica last edited by
I came here to ask the exact same question.
I'm afraid that it's not possible because the client won't send a password across in clear text, while the google authenticator script needs the pin + otp in the clear to be able to pass it on to the googleauth.py script.
My linux client will log something like this:
Jul 10 14:08:35 xps charon-nm: 16[IKE] server requested EAP_MD5 authentication (id 0x01) Jul 10 14:08:35 xps charon-nm: 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ] Jul 10 14:08:35 xps charon-nm: 16[NET] sending packet: from 192.168.122.1 to 192.168.122.204 (96 bytes) Jul 10 14:08:36 xps charon-nm: 10[NET] received packet: from 192.168.122.204 to 192.168.122.1 (80 bytes) Jul 10 14:08:36 xps charon-nm: 10[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]
On pfSense, it works fine with radtest, until you use eap-md5:
radtest -t eap-md5 nils 1111905131 127.0.0.1 1234 psk
Playing around with the EAP settings on the radius server causes my client to try some other methods, like EAP_MSCHAV2, but none of the ones I've tried seem to work.
Perhaps someone else has had some success or can confirm my suspicions?