IKEv2 VPN clients and 2FA

Martin Pauly pauly at hrz.uni-marburg.de
Wed Mar 22 17:33:07 UTC 2023

Hi Markus,

>> But: I have the demand to use 2FA (especially OTP) to increase the security of the VPN access. And that's my very   You quickly run into technology limitations.  i.e. "I want to do X, but the underling protocols don't support it".
you are using Windows' native IPsec client?
This will indeed want to talk MS-CHAPv2 with no 2FA hook I know of.

If you can use some other VPN client (and perhaps server),
there's a way to add e.g. PricayIdea "transparently" to the VPN.
The 2FA has a fixed length (or one of several, PI can return the value).
A colleague wrote a python addon to enhance OpenLDAP to be able to split
a long password consisting of the normal password+2FA.
So the VPN client provides the concatenated PW, the addon forwards it to PI.
Back comes the cutoff length along with PI's verdict on the 2FA.
The addon then tests the stripped password against LDAP.
The VPN is Cisco (ASA+Anyconnect/openconnect) in our case.
Neither Anyconnect nor the ASA need to have any idea about the nature of the password
the are transferring. Of course, this works for every service that forwards a password to RADIUS or LDAP
(except they want to transfer the password twice ...).


   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20230322/9b54eaef/attachment-0001.bin>

More information about the Freeradius-Users mailing list