Hi all, I hope I may ask you regarding this topic. I have a test setup of OPNsense firewall, FreeRADIUS 3.2.0 and using Linux, Mac and especially Windows 10 (with the native Windows client) IKEv2 VPN clients. OPNsense / Phase 1 is configured to use EAP-RADIUS (i.e. FreeRADIUS) which is authenticating the VPN users against Active Directory. The VPN clients are using IKEv2 and EAP-MSCHAPv2 with (AD-) username and password. I use winbind for authentication (https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind) and do an additional check if the user is member of a special AD group (via LDAP). These are the key points. And so far it's working fine. But: I have the demand to use 2FA (especially OTP) to increase the security of the VPN access. And that's my very question: I searched around, read tons of articles etc. if that's possible and if yes, what would be the best way to achive this goal. Among others I found this: https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy and would like to ask if someone has such an environment with Windows 10 clients and used it with e.g. privacyIDEA, OpenOTP or similar systems (other than the mentioned Gemalto Safenet Authentication Services)? It would be the best if the OTP system is running on-prem. Could this work and is it worth the effort to setup such a system? Any feedback is highly appreciated. Thank you and best regards, Markus
On Nov 13, 2022, at 12:29 PM, Markus Winkler <ml@irmawi.de> wrote:
I have a test setup of OPNsense firewall, FreeRADIUS 3.2.0 and using Linux, Mac and especially Windows 10 (with the native Windows client) IKEv2 VPN clients. OPNsense / Phase 1 is configured to use EAP-RADIUS (i.e. FreeRADIUS) which is authenticating the VPN users against Active Directory. The VPN clients are using IKEv2 and EAP-MSCHAPv2 with (AD-) username and password. I use winbind for authentication (https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind) and do an additional check if the user is member of a special AD group (via LDAP). These are the key points. And so far it's working fine.
That's good.
But: I have the demand to use 2FA (especially OTP) to increase the security of the VPN access. And that's my very question:
You quickly run into technology limitations. i.e. "I want to do X, but the underling protocols don't support it".
I searched around, read tons of articles etc. if that's possible and if yes, what would be the best way to achive this goal. Among others I found this:
https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
You'll not that's not EAP, and not EAP-MSCHAPv2.
and would like to ask if someone has such an environment with Windows 10 clients and used it with e.g. privacyIDEA, OpenOTP or similar systems (other than the mentioned Gemalto Safenet Authentication Services)? It would be the best if the OTP system is running on-prem.
Could this work and is it worth the effort to setup such a system?
Likely not. EAP-MSCHAPv2 doesn't support the challenge / response method discussed in that Wiki page. Challenge-Response has been in RADIUS since it's beginning, and only works for PAP. Even if it did, you're using winbind && AD. FreeRADIUS is just passing the MS-CHAPv2 blobs to AD, which is returning pass / fail. There's no way to add an extra 2FA step into that process. You will likely have to look at the OPNsense firewall to see if it supports 2FA via some other method. Alan DeKok.
Hi Alan, On 13.11.22 19:16, Alan DeKok wrote:
Even if it did, you're using winbind && AD. FreeRADIUS is just passing the MS-CHAPv2 blobs to AD, which is returning pass / fail. There's no way to add an extra 2FA step into that process.
that's a pity, but I was already afraid that I will not work. I must admit that after reading so much and about all kinds of combinations that in the end I was quite confused. And therefore my question here. So now I know for sure I have to look for another solution. Thank you very much for your quick answer and clarification. :) Best regards, Markus
One possible path to consider is NOT doing 2FA during the RADIUS authentication, but afterwards. Instead, launch the 2FA query during RADIUS authentication, and bring up the IPSec tunnel but filter all packets with iptables. Then when the 2FA is approved, alter the iptables rules to allow access. The use of accounting packets between strongswan and FreeRADIUS, and ipsets, make this a fairly simple matter of scripting. However, it will be more difficult, if not impossible, if your 2FA provider does not have a robust way to do authentications over a simple interface like REST, rather than the rather insane common practice of inserting the 2FA provider in your RADIUS proxy chain. Duo for example actually has such an interface, made for simple non-OAUTH applications, which allows you check on the status of an in-flight 2FA request as well as tune timeouts and messaged to the authenticator app. Microsoft, not at all, they discontinued support for anything like that. Throwing 2FA with its own set of timeouts and protocol failure points into the fray of establishing an IPSec-RA connection is IMO just asking for a claptrap of hard-to-diagnose problems. ________________________________________ From: Freeradius-Users <freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org> on behalf of Markus Winkler <ml@irmawi.de> Sent: Sunday, November 13, 2022 1:43 PM To: freeradius-users@lists.freeradius.org Subject: [EXT] Re: IKEv2 VPN clients and 2FA Hi Alan, On 13.11.22 19:16, Alan DeKok wrote:
Even if it did, you're using winbind && AD. FreeRADIUS is just passing the MS-CHAPv2 blobs to AD, which is returning pass / fail. There's no way to add an extra 2FA step into that process.
that's a pity, but I was already afraid that I will not work. I must admit that after reading so much and about all kinds of combinations that in the end I was quite confused. And therefore my question here. So now I know for sure I have to look for another solution. Thank you very much for your quick answer and clarification. :) Best regards, Markus - List info/subscribe/unsubscribe? See https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Cbjulin%40clarku.edu%7Cf3316ef55c7c4795b85d08dac5a6fabf%7Cb5b2263d68aa453eb972aa1421410f80%7C0%7C0%7C638039618218417975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=omCj3ywGY6rIHnGaJTN%2FmFsTehgq62vWK4KRhLIo9jQ%3D&reserved=0
Hi Brian, On 14.11.22 15:43, Brian Julin wrote:
Instead, launch the 2FA query during RADIUS authentication, and bring up the IPSec tunnel but filter all packets with iptables. Then when the 2FA is approved, alter the iptables rules to allow access.
nice idea, thank you. :-) But I think in the end
Throwing 2FA with its own set of timeouts and protocol failure points into the fray of establishing an IPSec-RA connection is IMO just asking for a claptrap of hard-to-diagnose problems.
you're right: too many possible problems. I really need a robust solution. Let's see. Regards, Markus
Hi Markus,
But: I have the demand to use 2FA (especially OTP) to increase the security of the VPN access. And that's my very You quickly run into technology limitations. i.e. "I want to do X, but the underling protocols don't support it". you are using Windows' native IPsec client? This will indeed want to talk MS-CHAPv2 with no 2FA hook I know of.
If you can use some other VPN client (and perhaps server), there's a way to add e.g. PricayIdea "transparently" to the VPN. The 2FA has a fixed length (or one of several, PI can return the value). A colleague wrote a python addon to enhance OpenLDAP to be able to split a long password consisting of the normal password+2FA. So the VPN client provides the concatenated PW, the addon forwards it to PI. Back comes the cutoff length along with PI's verdict on the 2FA. The addon then tests the stripped password against LDAP. The VPN is Cisco (ASA+Anyconnect/openconnect) in our case. Neither Anyconnect nor the ASA need to have any idea about the nature of the password the are transferring. Of course, this works for every service that forwards a password to RADIUS or LDAP (except they want to transfer the password twice ...). Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (4)
-
Alan DeKok -
Brian Julin -
Markus Winkler -
Martin Pauly