Re: [IPsec] Flexible multi-factor authentication

2016-09-29 Thread Wang Jian
2016-09-29 19:05 GMT+08:00 Tero Kivinen : > Wang Jian writes: >> The MFA we finally implemented is like >> >> 1. Users first authenticate themselves with username & password > > I.e., some suitable EAP method. > >> 2. according to the user's security group, another OTP

[IPsec] Flexible multi-factor authentication

2016-09-29 Thread Tero Kivinen
Wang Jian writes: > The MFA we finally implemented is like > > 1. Users first authenticate themselves with username & password I.e., some suitable EAP method. > 2. according to the user's security group, another OTP authentication > step is needed or not. For users that OTP is needed, OTP >

Re: [IPsec] Flexible multi-factor authentication

2016-09-27 Thread Wang Jian
2016-09-27 2:49 GMT+08:00 Paul Wouters : > You could help by reviewing and telling us you are in favour of > working group adoption of: > > https://tools.ietf.org/html/draft-pauly-ipsecme-split-dns-02 > I am new here. I will try. > We dont really add goals that have no backers

Re: [IPsec] Flexible multi-factor authentication

2016-09-27 Thread Wang Jian
Hi, It's not only a generic way for authentication conversation, but also a defined way for authentication conversation. VPN clients, vpn servers and authentication servers must have a standard, thus unified user experiences. - What should be prompted to user during conversation, what should be

Re: [IPsec] Flexible multi-factor authentication

2016-09-26 Thread Paul Wouters
On Mon, 26 Sep 2016, Wang Jian wrote: Also, split dns functionality is missing. You could help by reviewing and telling us you are in favour of working group adoption of: https://tools.ietf.org/html/draft-pauly-ipsecme-split-dns-02 Current IKEv2 doesn't provide an EAP authentication method

Re: [IPsec] Flexible multi-factor authentication

2016-09-26 Thread Yoav Nir
Hi. It seems that what you are looking for is a generic way to transport arbitrary strings from server to client and back again. While not specifically intended for that, both EAP-GTC and EAP-OTP (types 6 and 5 respectively) have been (ab)used for that purpose. Not sure if that has happened

[IPsec] Flexible multi-factor authentication

2016-09-26 Thread Wang Jian
Hello, When I researched for VPN solution for my company, IPsec was not an option. Then IKEv2 was an option but yet met our requirements. We chose from several SSL VPNs which also support ESP or UDP transport. The key requirement IKEv2 doesn't meet is MFA functionality and flexibility. Also,