Mobile clients with OTP

pama

Hi all,
I have successfully configured my pfsense for IPsec mobile client with IKEv2 and local radius auth.
I have set up two users, one with username and password, the other with username and OTP via Google Authenticator.
The test login works like a charm for both of them.
Strongswan client from Android can connect only with the user with password, while with OTP I can log only

radiusd 14913 (4) Login incorrect (Failed retrieving values required to evaluate condition): [username] (from client local port 4 cli <IP>)

What's wrong?
Thanks
Andrea

nica

I came here to ask the exact same question.

I'm afraid that it's not possible because the client won't send a password across in clear text, while the google authenticator script needs the pin + otp in the clear to be able to pass it on to the googleauth.py script.

My linux client will log something like this:

Jul 10 14:08:35 xps charon-nm: 16[IKE] server requested EAP_MD5 authentication (id 0x01)
Jul 10 14:08:35 xps charon-nm: 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ]
Jul 10 14:08:35 xps charon-nm: 16[NET] sending packet: from 192.168.122.1[49581] to 192.168.122.204[4500] (96 bytes)
Jul 10 14:08:36 xps charon-nm: 10[NET] received packet: from 192.168.122.204[4500] to 192.168.122.1[49581] (80 bytes)
Jul 10 14:08:36 xps charon-nm: 10[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]

On pfSense, it works fine with radtest, until you use eap-md5:

radtest -t eap-md5 nils 1111905131 127.0.0.1 1234 psk

Playing around with the EAP settings on the radius server causes my client to try some other methods, like EAP_MSCHAV2, but none of the ones I've tried seem to work.

Perhaps someone else has had some success or can confirm my suspicions?