<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi,</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We use JumpCloud as our directory (as-a-service), which also gives us a RADIUS server to authenticate against. We have this working fine (without the MFA) for user authentication against JumpCloud’s RADIUS using the built-in macOS VPN client
(IKEv2), but having trouble when enabling MFA on JumpCloud’s side.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Their documentation states that MSCHAPv2 is not supported for MFA-enabled VPN connections, and they recommend
<span style="mso-fareast-language:EN-GB">EAP-TTLS/PAP. When connecting, it should be a case of entering username and password with TOTP separated by a comma e.g.
</span><span style="font-size:10.5pt;mso-fareast-language:EN-GB">MyB@dPa33word,1203456.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">When attempting to connect, /var/log/syslog shows:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 talon-swan charon: 07[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 07[IKE] received EAP identity 'test.user'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 07[CFG] RADIUS server 'eu1.radius.jumpcloud.com' is candidate: 210<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 talon-swan charon: 07[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 07[CFG] received RADIUS Access-Challenge from server 'eu1.radius.jumpcloud.com'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 07[IKE] initiating EAP_MD5 method (id 0x01)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 07[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 07[NET] sending packet: from 10.118.128.63[4500] to 86.2.169.107[4500] (83 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 08[NET] received packet: from 86.2.169.107[4500] to 10.118.128.63[4500] (72 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 08[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 08[CFG] received RADIUS Access-Challenge from server 'eu1.radius.jumpcloud.com'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 08[NET] sending packet: from 10.118.128.63[4500] to 86.2.169.107[4500] (104 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 10[NET] received packet: from 86.2.169.107[4500] to 10.118.128.63[4500] (136 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 10[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:29 vpn-swan charon: 10[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:30 vpn-swan charon: 09[MGR] ignoring request with ID 4, already processing<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:30 vpn-swan charon: 10[CFG] received RADIUS Access-Reject from server 'eu1.radius.jumpcloud.com'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:30 vpn-swan charon: 10[IKE] RADIUS authentication of 'test.user' failed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:30 vpn-swan charon: 10[IKE] EAP method EAP_MSCHAPV2 failed for peer 192.168.1.235<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">Jun 25 17:23:30 vpn-swan charon: 10[ENC] generating IKE_AUTH response 4 [ EAP/FAIL ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">On JumpCloud’s side, we have the error:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">mfa: multifactor authentication required; not supported for PEAP/MS-CHAP<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;mso-fareast-language:EN-GB">We have rightauth set to eap-radius, but I’m yet to find a way of changing the EAP method. Does anyone have strongSwan + MFA working for macOS clients or can anyone point me in the
right direction, please?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB">References:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal">https://support.jumpcloud.com/support/s/article/Logging-in-to-RADIUS-with-TOTP-MFA</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a href="https://support.jumpcloud.com/support/s/article/configuring-a-wireless-access-point-wap-vpn-or-router-for-jumpclouds-radius1-2019-08-21-10-36-47">https://support.jumpcloud.com/support/s/article/configuring-a-wireless-access-point-wap-vpn-or-router-for-jumpclouds-radius1-2019-08-21-10-36-47</a></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Many thanks,</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike</p>
</div>
</body>
</html>