OPNsense Forum
English Forums => General Discussion => Topic started by: kapara on September 01, 2019, 11:46:59 pm
-
Is it possible to create local access users with 2FA for mobile vpn access?
-
No, only with OpenVPN
-
Huh, why not? It uses the same authentication system.
Cheers,
Franco
-
- EAP-MSCHAP requires the usage of eap keys -> no 2FA
- EAP-RADIUS would work, but FreeRadius plugin only work wir local users and has no hook for 2FA server
-
I created a new server Local + Time based one time password (Not Preshared Keys) with EAP-MSCHAP and specified that database in Mobile clients but it did not work. Only the preshared keys seem to work.
Really too bad this does not work as it makes the 2fa only good for securing firewall management and not vpn though the documentation states it can be used with IPSEC.
There is no instruction however on how to get this working. If this is possible It would be great to know how to make it work.
-
Maybe with old IKEv1 and cisco-like groups, never tested it. With OpenVPN no big deal
-
Franco,
Any feedback as to this?
-
There *might* be a chance that it works with legacy IKEv1, just give it a try, with IKEv2 no chance
-
The problem is I am using Native windows. I don't think IKEv1 works with native windows.