IKEv2 VPN clients and 2FA

Markus Winkler ml at irmawi.de
Sun Nov 13 17:29:38 UTC 2022

Hi all,

I hope I may ask you regarding this topic.

I have a test setup of OPNsense firewall, FreeRADIUS 3.2.0 and using Linux, 
Mac and especially Windows 10 (with the native Windows client) IKEv2 VPN 
clients. OPNsense / Phase 1 is configured to use EAP-RADIUS (i.e. 
FreeRADIUS) which is authenticating the VPN users against Active Directory. 
The VPN clients are using IKEv2 and EAP-MSCHAPv2 with (AD-) username and 
password. I use winbind for authentication 
(https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind) and 
do an additional check if the user is member of a special AD group (via 
LDAP). These are the key points. And so far it's working fine.

But: I have the demand to use 2FA (especially OTP) to increase the security 
of the VPN access. And that's my very question:

I searched around, read tons of articles etc. if that's possible and if 
yes, what would be the best way to achive this goal. Among others I found this:


and would like to ask if someone has such an environment with Windows 10 
clients and used it with e.g. privacyIDEA, OpenOTP or similar systems 
(other than the mentioned Gemalto Safenet Authentication Services)? It 
would be the best if the OTP system is running on-prem.

Could this work and is it worth the effort to setup such a system?

Any feedback is highly appreciated.

Thank you and best regards,

More information about the Freeradius-Users mailing list