[EXT] Re: IKEv2 VPN clients and 2FA

Mon Nov 14 14:43:11 UTC 2022

One possible path to consider is NOT doing 2FA during the RADIUS authentication, but afterwards.

Instead, launch the 2FA query during RADIUS authentication, and bring up the IPSec tunnel but filter
all packets with iptables.  Then when the 2FA is approved, alter the iptables rules to allow access.

The use of accounting packets between strongswan and FreeRADIUS, and ipsets, make this a fairly simple
matter of scripting.  However, it will be more difficult, if not impossible, if your 2FA provider does not
have a robust way to do authentications over a simple interface like REST, rather than the rather insane
common practice of inserting the 2FA provider in your RADIUS proxy chain.  Duo for example actually
has such an interface, made for simple non-OAUTH applications, which allows you check on the status
of an in-flight 2FA request as well as tune timeouts and messaged to the authenticator app.  Microsoft,
not at all, they discontinued support for anything like that.

Throwing 2FA with its own set of timeouts and protocol failure points into the fray of establishing
an IPSec-RA connection is IMO just asking for a claptrap of hard-to-diagnose problems.
________________________________________
From: Freeradius-Users <freeradius-users-bounces+bjulin=clarku.edu at lists.freeradius.org> on behalf of Markus Winkler <ml at irmawi.de>
Sent: Sunday, November 13, 2022 1:43 PM
To: freeradius-users at lists.freeradius.org
Subject: [EXT] Re: IKEv2 VPN clients and 2FA

Hi Alan,

On 13.11.22 19:16, Alan DeKok wrote:
>    Even if it did, you're using winbind && AD.  FreeRADIUS is just passing the MS-CHAPv2 blobs to AD, which is returning pass / fail.  There's no way to add an extra 2FA step into that process.

that's a pity, but I was already afraid that I will not work. I must admit
that after reading so much and about all kinds of combinations that in the
end I was quite confused. And therefore my question here. So now I know for
sure I have to look for another solution.

Thank you very much for your quick answer and clarification. :)

Best regards,
Markus
-
List info/subscribe/unsubscribe? See https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Cbjulin%40clarku.edu%7Cf3316ef55c7c4795b85d08dac5a6fabf%7Cb5b2263d68aa453eb972aa1421410f80%7C0%7C0%7C638039618218417975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=omCj3ywGY6rIHnGaJTN%2FmFsTehgq62vWK4KRhLIo9jQ%3D&reserved=0