Hello,
I would like to know if anyone has got Mobile IPsec working with TOTP (Windows 10 native vpn client)
- TOTP for login (ssh/GUI) -> works
- Mobile IPsec with Mutual RSA -> works
- Mobile IPsec with EAP-MSCHAPv2 -> works
Only Mobile IPsec with EAP-MSCHAPv2 + TOTP does not work.
Can it be because the "IPsec Pre-Shared Key" at the user can only be PSK and not EAP ?
Greetings,
atom
Update:
I've manually created the ipsec.secrets file in /usr/local/etc/ipsec.secrets.opnsense.d .
The possibility to select TOTP as "backend for authentication" is just fake. Only the password from the /usr/local/etc/ipsec.secrets.opnsense.d/ ipsec.secrets is sufficient to authenticate on the Windows.
This only works with an external solution capable of EAP
Do you have an example of an external solution ?
You need to set EAP Radius and use an otp solution offering radius.
Do you know an OTP solution that radius offers ?
FreeRADIUS can do that.
Quote from: mimugmail on March 18, 2022, 04:42:50 PM
Quote from: pmhausen on March 18, 2022, 11:18:46 AM
FreeRADIUS can do that.
With TOTP? :o
Sure - there are a couple of possible plugins. I only implemented HOTP in production, but the process was not that complicated if you know your way around FreeRADIUS.
Take for example: https://github.com/lark/vpn-otp
Note that I claimed neither "out of the box" nor "on OPNsense". But certainly with OPNsense connected to an external RADIUS instance.
Alternatively in a corporate environment you might want to look into Microsoft's Internet Authentication Server and possibly plugins for that.
HTH,
Patrick