IKEv2 VPN clients and 2FA

Alan DeKok aland at deployingradius.com
Sun Nov 13 18:16:14 UTC 2022

On Nov 13, 2022, at 12:29 PM, Markus Winkler <ml at irmawi.de> wrote:
> I have a test setup of OPNsense firewall, FreeRADIUS 3.2.0 and using Linux, Mac and especially Windows 10 (with the native Windows client) IKEv2 VPN clients. OPNsense / Phase 1 is configured to use EAP-RADIUS (i.e. FreeRADIUS) which is authenticating the VPN users against Active Directory. The VPN clients are using IKEv2 and EAP-MSCHAPv2 with (AD-) username and password. I use winbind for authentication (https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind) and do an additional check if the user is member of a special AD group (via LDAP). These are the key points. And so far it's working fine.

  That's good.

> But: I have the demand to use 2FA (especially OTP) to increase the security of the VPN access. And that's my very question:

  You quickly run into technology limitations.  i.e. "I want to do X, but the underling protocols don't support it".

> I searched around, read tons of articles etc. if that's possible and if yes, what would be the best way to achive this goal. Among others I found this:
> https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy

  You'll not that's not EAP, and not EAP-MSCHAPv2. 

> and would like to ask if someone has such an environment with Windows 10 clients and used it with e.g. privacyIDEA, OpenOTP or similar systems (other than the mentioned Gemalto Safenet Authentication Services)? It would be the best if the OTP system is running on-prem.
> Could this work and is it worth the effort to setup such a system?

  Likely not.

  EAP-MSCHAPv2 doesn't support the challenge / response method discussed in that Wiki page.  Challenge-Response has been in RADIUS since it's beginning, and only works for PAP.

  Even if it did, you're using winbind && AD.  FreeRADIUS is just passing the MS-CHAPv2 blobs to AD, which is returning pass / fail.  There's no way to add an extra 2FA step into that process.

  You will likely have to look at the OPNsense firewall to see if it supports 2FA via some other method.

  Alan DeKok.

More information about the Freeradius-Users mailing list