[strongSwan] VPN Radius MFA

Christian Salway christian.salway at naimuri.com
Mon Jul 9 18:05:28 CEST 2018 

Hi,

I've managed to get so far with trying to implement a strongSwan VPN server with MFA similar to what Azure do https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-dir-radius <https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-dir-radius> but I get stuck with using EAP.  As commented by Azure :
The MFA Server only supports PAP (password authentication protocol) and MSCHAPv2 (Microsoft's Challenge-Handshake Authentication Protocol) RADIUS protocols when acting as a RADIUS server. Other protocols, like EAP (extensible authentication protocol), can be used when the MFA server acts as a RADIUS proxy to another RADIUS server that supports that protocol.

This is what I have so far with strongSwan and freeradius log below.  I have freeradius configured with google-authenticator using PAM using this guide http://www.supertechguy.com/help/security/freeradius-google-auth <http://www.supertechguy.com/help/security/freeradius-google-auth> which works when testing from localhost, but I think the EAP from the VPN is not sending through the password or at least it is but in md4.

Has anyone managed to set up a VPN server with MFA?

#!/bin/bash

sed -i 's/#NTP=/NTP=169.254.169.123/' /etc/systemd/timesyncd.conf

# apt answers
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections

# install dependencies
apt-get install -y build-essential libsystemd-dev pkg-config iptables-persistent

# install strongswan
wget -nv https://download.strongswan.org/strongswan-5.6.3.tar.bz2
tar xjf strongswan-5.6.3.tar.bz2; cd strongswan*
./configure --prefix=/usr --sysconfdir=/etc \
  --enable-systemd --enable-swanctl \
  --disable-charon --disable-stroke --disable-scepclient \
  --enable-eap-identity --enable-eap-mschapv2 --enable-md4 \
  --enable-eap-radius
make
make install

# configure strongswan
cat <<'EOF' > /etc/strongswan.d/charon/eap-radius.conf
eap-radius {
    load = yes
    accounting = yes
    nas_identifier = vpn-server-1
    servers {
        primary {
            address = 172.31.19.90  # TODO: change to DNS
            secret = KFdHr0sgw$kOfFgh  # /etc/freeradius/clients.conf
        }
    }
    xauth {
        pinprofile {
            nextpin = Please enter the next Code from your scratch list:
        }
        passandcode {
            password = Please enter your password:
            passcode = Please enter multi-factor authentication code:
        }
    }
}
EOF


cat <<'EOF' > /etc/swanctl/conf.d/conn-radius.conf
connections {
  radius {
     version = 2
     send_cert = always
     encap = yes
     pools = pool1
     unique = replace
     proposals = aes256-sha256-prfsha256-ecp256-modp2048
     local {
        id = vpnserver
        certs = vpnserver.crt
     }
     remote {
        auth = eap-radius
        eap_id = %any
     }
     remote-1 {
        auth = xauth-radius:pinprofile
     }
     children {
        net {
          local_ts = 172.31.0.0/16
        }
     }
  }
}
EOF



The freeradius server log has the following:


rad_recv: Access-Request packet from host 172.31.19.40 port 56472, id=44, length=140
	User-Name = "test"
	NAS-Port-Type = Virtual
	Service-Type = Framed-User
	NAS-Port = 4
	NAS-Port-Id = "radius"
	NAS-IP-Address = 172.31.19.40
	Called-Station-Id = "172.31.19.40[4500]"
	Calling-Station-Id = "148.252.225.26[46452]"
	EAP-Message = 0x020000090174657374
	NAS-Identifier = "vpn-server-1"
	Message-Authenticator = 0x38b1665e5c973bce156a9b8ec63d40a0
Mon Jul  9 15:29:42 2018 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Mon Jul  9 15:29:42 2018 : Info: +group authorize {
Mon Jul  9 15:29:42 2018 : Info: ++[preprocess] = ok
Mon Jul  9 15:29:42 2018 : Info: ++[chap] = noop
Mon Jul  9 15:29:42 2018 : Info: ++[mschap] = noop
Mon Jul  9 15:29:42 2018 : Info: ++[digest] = noop
Mon Jul  9 15:29:42 2018 : Info: [suffix] No '@' in User-Name = "test", looking up realm NULL
Mon Jul  9 15:29:42 2018 : Info: [suffix] No such realm "NULL"
Mon Jul  9 15:29:42 2018 : Info: ++[suffix] = noop
Mon Jul  9 15:29:42 2018 : Info: [eap] EAP packet type response id 0 length 9
Mon Jul  9 15:29:42 2018 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Mon Jul  9 15:29:42 2018 : Info: ++[eap] = updated
Mon Jul  9 15:29:42 2018 : Info: [files] users: Matched entry DEFAULT at line 1
Mon Jul  9 15:29:42 2018 : Info: ++[files] = ok
Mon Jul  9 15:29:42 2018 : Info: ++[expiration] = noop
Mon Jul  9 15:29:42 2018 : Info: ++[logintime] = noop
Mon Jul  9 15:29:42 2018 : Info: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Mon Jul  9 15:29:42 2018 : Info: ++[pap] = noop
Mon Jul  9 15:29:42 2018 : Info: +} # group authorize = updated
Mon Jul  9 15:29:42 2018 : Info: Found Auth-Type = PAM
Mon Jul  9 15:29:42 2018 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Mon Jul  9 15:29:42 2018 : Info: +group authenticate {
Mon Jul  9 15:29:42 2018 : Auth: rlm_pam: Attribute "User-Password" is required for authentication.
Mon Jul  9 15:29:42 2018 : Info: ++[pam] = invalid
Mon Jul  9 15:29:42 2018 : Info: +} # group authenticate = invalid
Mon Jul  9 15:29:42 2018 : Info: Failed to authenticate the user.
Mon Jul  9 15:29:42 2018 : Auth: Login incorrect: [test] (from client local port 4 cli 148.252.225.26[46452])
Mon Jul  9 15:29:42 2018 : Info: Using Post-Auth-Type Reject
Mon Jul  9 15:29:42 2018 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Mon Jul  9 15:29:42 2018 : Info: +group REJECT {
Mon Jul  9 15:29:42 2018 : Info: [eap] Request was previously rejected, inserting EAP-Failure
Mon Jul  9 15:29:42 2018 : Info: ++[eap] = updated
Mon Jul  9 15:29:42 2018 : Info: [attr_filter.access_reject] 	expand: %{User-Name} -> test
Mon Jul  9 15:29:42 2018 : Debug: attr_filter: Matched entry DEFAULT at line 11
Mon Jul  9 15:29:42 2018 : Info: ++[attr_filter.access_reject] = updated
Mon Jul  9 15:29:42 2018 : Info: +} # group REJECT = updated
Mon Jul  9 15:29:42 2018 : Info: Delaying reject of request 0 for 1 seconds
Mon Jul  9 15:29:42 2018 : Debug: Going to the next request
Mon Jul  9 15:29:42 2018 : Debug: Waking up in 0.9 seconds.
Mon Jul  9 15:29:43 2018 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 44 to 172.31.19.40 port 56472
	EAP-Message = 0x04000004
	Message-Authenticator = 0x00000000000000000000000000000000


Kind regards,.
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180709/5fdb47c4/attachment-0001.html>

More information about the Users mailing list