Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password
« previous
next »
Print
Pages: [
1
]
Author
Topic: Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password (Read 5277 times)
jpatten
Newbie
Posts: 3
Karma: 0
Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password
«
on:
May 20, 2019, 10:06:53 pm »
I've been scouring the documentation and other forum posts for some time now but I haven't found an answer to my question so I'm posting here
I am attempting to set up IKEv2 mobile VPN (road warrior) using native Windows 10 VPN client, in conjunction with the LDAP + Timebased One Time Password authentication option. I believe I am experiencing issues with authentication due to the way MSCHAPv2 handles authentication and that it is inherently not capable of doing a plain password comparison. Has anyone gotten this combination (IKEv12 + Windows 10 native client + LDAP/Timebased OTP) to work? If so, what authentication method/settings did you use to accomplish this?
Before recommending using OpenVPN, please understand that I need a solution that can utilize the 'start before logon' feature of Windows where a user can connect to the VPN prior to logging in so that any active directory policies can apply, as well as checking password expiration with active directory, etc. There are not currently any OpenVPN clients capable of start before logon that I'm aware of, so if you're aware of any I'd be more than happy to entertain those options.
Thank you in advance for your assistance.
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password
«
Reply #1 on:
May 20, 2019, 10:24:56 pm »
It's not with OTP and uses radius, but check this:
https://forum.opnsense.org/index.php?topic=12147.msg55627#msg55627
I use Microsoft NPS as radius to authenticate against active directory in a test lab. Used IKE2 and windows 10 built-in VPN.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
jpatten
Newbie
Posts: 3
Karma: 0
Re: Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password
«
Reply #2 on:
May 20, 2019, 11:10:11 pm »
Well I need the OTP function and wanted to see if the natively built in authentication system would work. Windows NPS RADIUS also uses MSCHAPv2 which is inherently incompatible with using OTP.
I've used PrivacyIDEA + FreeRADIUS with OpenVPN before which works pretty well but it seems to be missing the mark with IKEv2.
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password
«
Reply #3 on:
May 21, 2019, 07:07:02 am »
Have a look at LinOTP. You can connect it to ADS/LDAP. You can configure/use it as authentication proxy. Get usernames and groups from directory server and manage OPT tokens in LinOTP.
Also works with hardware tokens and helps for smooth transition. If no token configured, you can use directory password as fall-back.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
mimugmail
Hero Member
Posts: 6761
Karma: 494
Re: Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password
«
Reply #4 on:
May 21, 2019, 01:23:55 pm »
MSCHAPv2 and OTP is hard to mix, also I don't see a problem there since it's OTP.
PrivacyIdea is great and fits very nice. Already have some customers running it inlc. their commercial support.
Regarding LinOTP btw. ...
https://www.wallstreet-online.de/nachricht/11446890-max21-verlustanzeige
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
jpatten
Newbie
Posts: 3
Karma: 0
Re: Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password
«
Reply #5 on:
May 21, 2019, 03:34:32 pm »
So I've pretty much come to the conclusion that IKEv2 and 2FA aren't compatible after reading this page:
https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients
The choices you have are:
Machine Certificates
User Certificates
MSCHAPv2
None of those options support 2FA inherently. It looks like I'll need to use IPSEC or OpenVPN (and replace sethc.exe, the stickykeys executable, with an OpenVPN launcher) to accomplish what I need.
Logged
mimugmail
Hero Member
Posts: 6761
Karma: 494
Re: Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password
«
Reply #6 on:
May 21, 2019, 05:53:21 pm »
What about EAP-Radius against Privacyidea?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Windows 10 IKEv2 Road Warrior & LDAP + Timebased One Time Password