Configuring the connection to the BlackBerry 2FA server on a strongSwan
server
BlackBerry 2FA
server on a strongSwan
serverTo configure connectivity to the
BlackBerry 2FA
server on a strongSwan server, you must
modify the ipsec.conf and the eap-radius.conf files. For more information about these files and how to configure strongSwan, visit
https://www.strongswan.org/.
ipsec.conf configuration
The ipsec.conf file is located in the /etc directory. You must add a new
“conn” section for the
BlackBerry 2FA
server. For
example:conn <name> keyexchange=ikev2 rightauth=eap-radius rightsendcert=never eap_identity=%any auto=add
Setting | Description |
|---|---|
<name> | This is the unique name for the new connection section. It is a common
practice for that name to reflect some key characteristics of the connection itself (for
example, IPSec-IKEv2-radius). |
keyexchange=ikev2 | This setting specifies the key exchange method (for example, IKEv1,
IKEv2). The BlackBerry 2FA server does not use this
setting, but you must include it in the conn section to enable proper key exchange with VPN
clients. You must make sure that the VPN clients that connect to the strongSwan server use
the same key exchange method. |
rightauth=eap-radius | This setting specifies that the strongSwan server must use EAP over RADIUS to
authenticate VPN clients for this type of connection. |
rightsendcert=never | This setting specifies that user certificates are not used for client authentication. |
eap_identity=%any | This setting specifies the identity of the VPN client to use for
authentication. The BlackBerry 2FA server does not
use this setting, but you must include it in the conn section. The "%any" value instructs
the strongSwan server to pass the identity provided by the VPN client. |
auto=add | This setting specifies that this connection section is active. The BlackBerry 2FA server does not use
this setting, but you must include it in the conn section. |
eap-radius.conf configuration
The eap-radius.conf file is located in the /etc/strongswan.d/charon directory.
It specifies the details for EAP over RADIUS authentication. The default configuration file has
all the settings that you must configure, but most of them are commented out and some of them do
not have any value assigned. You must modify the required settings by removing the number sign
(#) and setting their values as described in the following table.
Setting | Description |
|---|---|
accounting=no | This setting prevents strongSwan from sending RADIUS accounting
information to the BlackBerry 2FA server. |
nas_identifier | This optional setting specifies the NAS-Identifier to include in RADIUS
messages. You can use this setting if multiple strongSwan servers are using the same BlackBerry 2FA server. |
port=1812 | This setting specifies the port used by the BlackBerry 2FA server to receive RADIUS requests for
authentication. |
secret= <shared secret> | This setting specifies the shared secret between strongSwan and the BlackBerry 2FA server. When you configure VPN server
connectivity in the BlackBerry 2FA server, you must
type the RADIUS shared secret that you specify here. |
server= <IP of VPNAuth
server> | This setting specifies the IP address or FQDN of the BlackBerry 2FA server. |
ike_to_radius=1, 2, 311:1, 311:11, 311:25 | This setting specifies a comma-separated list of numbers that represent
the list of RADIUS attributes that strongSwan needs to forward to the BlackBerry 2FA server. Numbers separated by colons indicate vendor-specific attributes. The
first number identifies the vendor (for example, 311 is the number for Microsoft ),
and the second number identifies the attribute type.This setting is in the “forward” section of the configuration file. |
radius_to_ike=311:26, 311:17, 311:16 | This setting specifies a comma-separated list of numbers that represent
the list of RADIUS attributes that the BlackBerry 2FA server needs to forward to strongSwan. Numbers separated by colons indicate vendor-specific attributes. The
first number identifies the vendor (for example, 311 is the number for Microsoft ),
and the second number identifies the attribute type.This setting is in the “forward” section of the configuration file. |