Hi all, I hope I may ask you regarding this topic. I have a test setup of OPNsense firewall, FreeRADIUS 3.2.0 and using Linux, Mac and especially Windows 10 (with the native Windows client) IKEv2 VPN clients. OPNsense / Phase 1 is configured to use EAP-RADIUS (i.e. FreeRADIUS) which is authenticating the VPN users against Active Directory. The VPN clients are using IKEv2 and EAP-MSCHAPv2 with (AD-) username and password. I use winbind for authentication (https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind) and do an additional check if the user is member of a special AD group (via LDAP). These are the key points. And so far it's working fine. But: I have the demand to use 2FA (especially OTP) to increase the security of the VPN access. And that's my very question: I searched around, read tons of articles etc. if that's possible and if yes, what would be the best way to achive this goal. Among others I found this: https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy and would like to ask if someone has such an environment with Windows 10 clients and used it with e.g. privacyIDEA, OpenOTP or similar systems (other than the mentioned Gemalto Safenet Authentication Services)? It would be the best if the OTP system is running on-prem. Could this work and is it worth the effort to setup such a system? Any feedback is highly appreciated. Thank you and best regards, Markus