IKEv2 VPN clients and 2FA
Markus Winkler
ml at irmawi.de
Sun Nov 13 17:29:38 UTC 2022
Hi all,
I hope I may ask you regarding this topic.
I have a test setup of OPNsense firewall, FreeRADIUS 3.2.0 and using Linux,
Mac and especially Windows 10 (with the native Windows client) IKEv2 VPN
clients. OPNsense / Phase 1 is configured to use EAP-RADIUS (i.e.
FreeRADIUS) which is authenticating the VPN users against Active Directory.
The VPN clients are using IKEv2 and EAP-MSCHAPv2 with (AD-) username and
password. I use winbind for authentication
(https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind) and
do an additional check if the user is member of a special AD group (via
LDAP). These are the key points. And so far it's working fine.
But: I have the demand to use 2FA (especially OTP) to increase the security
of the VPN access. And that's my very question:
I searched around, read tons of articles etc. if that's possible and if
yes, what would be the best way to achive this goal. Among others I found this:
https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
and would like to ask if someone has such an environment with Windows 10
clients and used it with e.g. privacyIDEA, OpenOTP or similar systems
(other than the mentioned Gemalto Safenet Authentication Services)? It
would be the best if the OTP system is running on-prem.
Could this work and is it worth the effort to setup such a system?
Any feedback is highly appreciated.
Thank you and best regards,
Markus
More information about the Freeradius-Users
mailing list