OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of jpatten »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - jpatten

Pages: [1]
1
19.1 Legacy Series / Re: Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password
« on: May 21, 2019, 03:34:32 pm »
So I've pretty much come to the conclusion that IKEv2 and 2FA aren't compatible after reading this page: https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients

The choices you have are:
  • Machine Certificates
  • User Certificates
  • MSCHAPv2

None of those options support 2FA inherently. It looks like I'll need to use IPSEC or OpenVPN (and replace sethc.exe, the stickykeys executable, with an OpenVPN launcher) to accomplish what I need.

2
19.1 Legacy Series / Re: Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password
« on: May 20, 2019, 11:10:11 pm »
Well I need the OTP function and wanted to see if the natively built in authentication system would work. Windows NPS RADIUS also uses MSCHAPv2 which is inherently incompatible with using OTP.

I've used PrivacyIDEA + FreeRADIUS with OpenVPN before which works pretty well but it seems to be missing the mark with IKEv2.

3
19.1 Legacy Series / Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password
« on: May 20, 2019, 10:06:53 pm »
I've been scouring the documentation and other forum posts for some time now but I haven't found an answer to my question so I'm posting here

I am attempting to set up IKEv2 mobile VPN (road warrior) using native Windows 10 VPN client, in conjunction with the LDAP + Timebased One Time Password authentication option. I believe I am experiencing issues with authentication due to the way MSCHAPv2 handles authentication and that it is inherently not capable of doing a plain password comparison. Has anyone gotten this combination (IKEv12 + Windows 10 native client + LDAP/Timebased OTP) to work? If so, what authentication method/settings did you use to accomplish this?

Before recommending using OpenVPN, please understand that I need a solution that can utilize the 'start before logon' feature of Windows where a user can connect to the VPN prior to logging in so that any active directory policies can apply, as well as checking password expiration with active directory, etc. There are not currently any OpenVPN clients capable of start before logon that I'm aware of, so if you're aware of any I'd be more than happy to entertain those options.

Thank you in advance for your assistance.

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2