Hi. It seems that what you are looking for is a generic way to transport arbitrary strings from server to client and back again.
While not specifically intended for that, both EAP-GTC and EAP-OTP (types 6 and 5 respectively) have been (ab)used for that purpose. Not sure if that has happened in the context of IKEv2, though. GTC in a TTLS/PEAP/some other kind of tunneling has been done before, although when running EAP in IKE I don’t think you need yet another tunnel. I guess it depends on the level of pre-existing trust that exists between the client and the VPN gateway (as opposed to the EAP authentication server). Yoav > On 26 Sep 2016, at 10:13 AM, Wang Jian <larkw...@gmail.com> wrote: > > Hello, > > When I researched for VPN solution for my company, IPsec was not an > option. Then IKEv2 was an option but yet met our requirements. > > We chose from several SSL VPNs which also support ESP or UDP > transport. The key requirement IKEv2 doesn't meet is MFA functionality > and flexibility. Also, split dns functionality is missing. > > The MFA we finally implemented is like > > 1. Users first authenticate themselves with username & password > 2. according to the user's security group, another OTP authentication > step is needed or not. For users that OTP is needed, OTP > authentication is prompted or skipped if (the device,the user) tuple > was authenticated recently (i.e. 24 hours) > > * We could not get unique device id, so IP address and username are > used as the tuple. However we prefer to a generated permanent device > id by vpn client, the device's manufacturer-assigned id (or derived > hash if privacy is a concern), or time-limited http-cookie-like id > generated and returned by authenticator. > > Our flexible 2FA authentication is implemented using RADIUS challenge. > The principles are > > 1. username & password authentication is used to integrated with > central user management. For ease of use, VPN client should be capable > of store password securely in device > 2. authenticator controls the remaining authentication steps, and > decides which step should be done or be skipped. > > Current IKEv2 doesn't provide an EAP authentication method to support > such flexible MFA use case. And in the new charter, there is no goal > of the kind. > > IMHO, flexible MFA is most important for large scale enterprise > deployment. Please add it as a goal. > > Regards, > Wang Jian > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec