Mobile clients with OTP

  • Hi all,
    I have successfully configured my pfsense for IPsec mobile client with IKEv2 and local radius auth.
    I have set up two users, one with username and password, the other with username and OTP via Google Authenticator.
    The test login works like a charm for both of them.
    Strongswan client from Android can connect only with the user with password, while with OTP I can log only

    radiusd 14913 (4) Login incorrect (Failed retrieving values required to evaluate condition): [username] (from client local port 4 cli <IP>)

    What's wrong?

  • I came here to ask the exact same question.

    I'm afraid that it's not possible because the client won't send a password across in clear text, while the google authenticator script needs the pin + otp in the clear to be able to pass it on to the script.

    My linux client will log something like this:

    Jul 10 14:08:35 xps charon-nm: 16[IKE] server requested EAP_MD5 authentication (id 0x01)
    Jul 10 14:08:35 xps charon-nm: 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ]
    Jul 10 14:08:35 xps charon-nm: 16[NET] sending packet: from[49581] to[4500] (96 bytes)
    Jul 10 14:08:36 xps charon-nm: 10[NET] received packet: from[4500] to[49581] (80 bytes)
    Jul 10 14:08:36 xps charon-nm: 10[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]

    On pfSense, it works fine with radtest, until you use eap-md5:

    radtest -t eap-md5 nils 1111905131 1234 psk

    Playing around with the EAP settings on the radius server causes my client to try some other methods, like EAP_MSCHAV2, but none of the ones I've tried seem to work.

    Perhaps someone else has had some success or can confirm my suspicions?

Log in to reply