IKEv2 VPN with TOTP?

537 views
Skip to first unread message

RNAO Communications

unread,
Oct 18, 2021, 2:39:55 PM10/18/21
to RCDevs Security Solutions - Technical
We need to add 2FA to our WatchGuard IKEv2 Mobile VPN.
We have it working with the WatchGuard Mobile SSL VPN client, and TOTP hardware tokens in a OpenOTP server. But we do not want to switch to the SSL vpn for the expected reasons.
Windows IKE client defaults to EAP MS-CHAPv2, which I understand freeradius bridge does not support by default with OpenOTP.
What are our options?

Our OpenOTP is using the radius bridge to authenticate. Authentication is ultimately from an ActiveDirectory server on Win2k19, which also has the Windows RADIUS server installed.

We could enable Radius Proxy to the Windows Radius server, if that will allow us to use MS-CHAPv2.

I understand freeradius does have an MS-CHAPv2 module. We could install the freeradius support for MS-CHAPv2, if that will work with OpenOTP

We could try configuring the Windows IKEv2 WAN MiniPorts from the default EAP MS-CHAPv2 to PAP instead (if necessary) if that will allow us to use OpenOTP with our hardware tokens.

If we can't make this work with OpenOTP we will have to select another vendor rather than buying from RCDevs. If somebody can help us get this working with OpenOTP, that would be our first choice.

Thanks for any suggestions.

RNAO Communications

unread,
Oct 18, 2021, 3:10:28 PM10/18/21
to RCDevs Security Solutions - Technical
We don't even need to stick with the WG server. If the Windows VPN server will work, we can use that.
If an OpenVPN sever will work with OpenOTP for IKEv2, that is even an option.

Yoann Traut (RCDevs)

unread,
Oct 25, 2021, 3:37:18 AM10/25/21
to RCDevs Security Solutions - Technical
Hello,

You right, MS-CHAP-V2 is not supported .
Maybe the Windows radius proxy is a solution. But according to my knowledge, NPS doesn't manage the Radius Challenge. 
Which means, if you want to configure LDAP+OTP factors for logins, the OTP part can not be challenged by NPS. It means you need to configure Push login infra as we do it for NPS and RDGateway integration. 
The default freeradius will not be able to communicate with OpenOTP. Don't know if it can act as a radius proxy or not... 
 
We provide a custom OpenVPN pre-configured with OpenOTP (MFAVPN) if you want. Else, any other VPN supporting Radius PAP or LDAP protocols works too.
 

Regards  
Reply all
Reply to author
Forward
0 new messages