'[strongSwan] Google Scure LDAP and User-Password'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] Google Scure LDAP and User-Password
From:       Edward Newman <edward () digitalasset ! com>
Date:       2020-02-28 14:44:19
Message-ID: EA3226E5-7F06-4402-956B-2CCE33A18340 () digitalasset ! com
[Download RAW message or body]

Interested to give my user singe sign-on via their Google account from strongswan. \
Trying to go down a path with freeradius but hitting a couple of issues.

What works:

- freeradius conects correct to Secure LDAP and can authenticate users via radclient
- strongswan can connect to free Radius and sends Authentication requests to service \
                (seen in debug trace).
- Users are connectig to strongswan over IKEv2 road warrior connection (from macOS)

What seems to be failing:

- Strongswan does not seem to have a way to configure sending the User-Password \
                attribute to radius (in cleartext)
- Secure LDAP requires the cleartext password to do LDAP bind (doesn;t support \
MSCHAPV2 or other non-password based authentication)

Questions:

- Can one set up Strongswan to forward password from user?
- If one uses a VPN with server side certificate and user auth then this feel like \
setting up a HTTPS web site with a username/password form directly to Internet. What \
stops any user connecting to IKEv2 and attempting brute force connections against a \
user account. Google Secure LDAP does not enforce 2FA over LDAP… :-( 

What have I missed as options? Are there other better ways to get user-specific \
                authentication to Google via strongswan?
-- 
This message, and any attachments, is for the intended recipient(s) only, 
may contain information that is privileged, confidential and/or proprietary 
and subject to important terms and conditions available at  
http://www.digitalasset.com/emaildisclaimer.html 
<http://www.digitalasset.com/emaildisclaimer.html>. If you are not the 
intended recipient, please delete this message.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic