IPSEC user auth with local user and 2FA

Started by kapara, September 01, 2019, 11:46:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 01, 2019, 11:46:59 PM
Is it possible to create local access users with 2FA for mobile vpn access? 
September 02, 2019, 05:54:55 AM #1
No, only with OpenVPN
September 03, 2019, 09:38:38 AM #2
Huh, why not? It uses the same authentication system.


Cheers,
Franco
September 03, 2019, 10:22:48 AM #3
- EAP-MSCHAP requires the usage of eap keys -> no 2FA
- EAP-RADIUS would work, but FreeRadius plugin only work wir local users and has no hook for 2FA server
September 04, 2019, 12:53:38 AM #4 Last Edit: September 04, 2019, 12:57:18 AM by kapara
I created a new server Local + Time based one time password (Not Preshared Keys) with EAP-MSCHAP and specified that database in Mobile clients but it did not work.  Only the preshared keys seem to work.

Really too bad this does not work as it makes the 2fa only good for securing firewall management and not vpn though the documentation states it can be used with IPSEC.

There is no instruction however on how to get this working.  If this is possible It would be great to know how to make it work.
September 04, 2019, 07:16:59 AM #5
Maybe with old IKEv1 and cisco-like groups, never tested it. With OpenVPN no big deal
September 05, 2019, 08:50:19 PM #6
Franco,

Any feedback as to this?
September 05, 2019, 08:55:58 PM #7
There *might* be a chance that it works with legacy IKEv1, just give it a try, with IKEv2 no chance
September 05, 2019, 09:19:24 PM #8
The problem is I am using Native windows.  I don't think IKEv1 works with native windows.
Print
Go Up Pages1
User actions