Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password

Started by jpatten, May 20, 2019, 10:06:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 20, 2019, 10:06:53 PM
I've been scouring the documentation and other forum posts for some time now but I haven't found an answer to my question so I'm posting here

I am attempting to set up IKEv2 mobile VPN (road warrior) using native Windows 10 VPN client, in conjunction with the LDAP + Timebased One Time Password authentication option. I believe I am experiencing issues with authentication due to the way MSCHAPv2 handles authentication and that it is inherently not capable of doing a plain password comparison. Has anyone gotten this combination (IKEv12 + Windows 10 native client + LDAP/Timebased OTP) to work? If so, what authentication method/settings did you use to accomplish this?

Before recommending using OpenVPN, please understand that I need a solution that can utilize the 'start before logon' feature of Windows where a user can connect to the VPN prior to logging in so that any active directory policies can apply, as well as checking password expiration with active directory, etc. There are not currently any OpenVPN clients capable of start before logon that I'm aware of, so if you're aware of any I'd be more than happy to entertain those options.

Thank you in advance for your assistance.
May 20, 2019, 10:24:56 PM #1
It's not with OTP and uses radius, but check this:
https://forum.opnsense.org/index.php?topic=12147.msg55627#msg55627

I use Microsoft NPS as radius to authenticate against active directory in a test lab. Used IKE2 and windows 10 built-in VPN.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
May 20, 2019, 11:10:11 PM #2
Well I need the OTP function and wanted to see if the natively built in authentication system would work. Windows NPS RADIUS also uses MSCHAPv2 which is inherently incompatible with using OTP.

I've used PrivacyIDEA + FreeRADIUS with OpenVPN before which works pretty well but it seems to be missing the mark with IKEv2.
May 21, 2019, 07:07:02 AM #3
Have a look at LinOTP. You can connect it to ADS/LDAP. You can configure/use it as authentication proxy. Get usernames and groups from directory server and manage OPT tokens in LinOTP.
Also works with hardware tokens and helps for smooth transition. If no token configured, you can use directory password as fall-back.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
May 21, 2019, 01:23:55 PM #4
MSCHAPv2 and OTP is hard to mix, also I don't see a problem there since it's OTP.
PrivacyIdea is great and fits very nice. Already have some customers running it inlc. their commercial support.

Regarding LinOTP btw. ... https://www.wallstreet-online.de/nachricht/11446890-max21-verlustanzeige
May 21, 2019, 03:34:32 PM #5
So I've pretty much come to the conclusion that IKEv2 and 2FA aren't compatible after reading this page: https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients

The choices you have are:

  • Machine Certificates
  • User Certificates
  • MSCHAPv2

None of those options support 2FA inherently. It looks like I'll need to use IPSEC or OpenVPN (and replace sethc.exe, the stickykeys executable, with an OpenVPN launcher) to accomplish what I need.
May 21, 2019, 05:53:21 PM #6
What about EAP-Radius against Privacyidea?
Print
Go Up Pages1
User actions