Interested to give my user singe sign-on via their Google account from strongswan. Trying to go down a path with freeradius but hitting a couple of issues.
What works: - freeradius conects correct to Secure LDAP and can authenticate users via radclient - strongswan can connect to free Radius and sends Authentication requests to service (seen in debug trace). - Users are connectig to strongswan over IKEv2 road warrior connection (from macOS) What seems to be failing: - Strongswan does not seem to have a way to configure sending the User-Password attribute to radius (in cleartext) - Secure LDAP requires the cleartext password to do LDAP bind (doesn;t support MSCHAPV2 or other non-password based authentication) Questions: - Can one set up Strongswan to forward password from user? - If one uses a VPN with server side certificate and user auth then this feel like setting up a HTTPS web site with a username/password form directly to Internet. What stops any user connecting to IKEv2 and attempting brute force connections against a user account. Google Secure LDAP does not enforce 2FA over LDAP… :-( What have I missed as options? Are there other better ways to get user-specific authentication to Google via strongswan? -- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.digitalasset.com/emaildisclaimer.html <http://www.digitalasset.com/emaildisclaimer.html>. If you are not the intended recipient, please delete this message.
