[strongSwan] IKEv2 + MFA with RADIUS

Michael Schwartzkopff ms at sys4.de
Sat Jul 3 11:41:09 CEST 2021


On 29.06.21 16:11, Mike Hill wrote:
> Hi,
>
> We use JumpCloud as our directory (as-a-service), which also gives us a RADIUS server to authenticate against. We have this working fine (without the MFA) for user authentication against JumpCloud’s RADIUS using the built-in macOS VPN client (IKEv2), but having trouble when enabling MFA on JumpCloud’s side.
>
> Their documentation states that MSCHAPv2 is not supported for MFA-enabled VPN connections, and they recommend EAP-TTLS/PAP. When connecting, it should be a case of entering username and password with TOTP separated by a comma e.g. MyB at dPa33word,1203456.
>
> When attempting to connect, /var/log/syslog shows:
>
> Jun 25 17:23:29 talon-swan charon: 07[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
> Jun 25 17:23:29 vpn-swan charon: 07[IKE] received EAP identity 'test.user'
> Jun 25 17:23:29 vpn-swan charon: 07[CFG] RADIUS server 'eu1.radius.jumpcloud.com' is candidate: 210
> Jun 25 17:23:29 talon-swan charon: 07[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:29 vpn-swan charon: 07[CFG] received RADIUS Access-Challenge from server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:29 vpn-swan charon: 07[IKE] initiating EAP_MD5 method (id 0x01)
> Jun 25 17:23:29 vpn-swan charon: 07[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
> Jun 25 17:23:29 vpn-swan charon: 07[NET] sending packet: from 10.118.128.63[4500] to 86.2.169.107[4500] (83 bytes)
> Jun 25 17:23:29 vpn-swan charon: 08[NET] received packet: from 86.2.169.107[4500] to 10.118.128.63[4500] (72 bytes)
> Jun 25 17:23:29 vpn-swan charon: 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
> Jun 25 17:23:29 vpn-swan charon: 08[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:29 vpn-swan charon: 08[CFG] received RADIUS Access-Challenge from server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:29 vpn-swan charon: 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> Jun 25 17:23:29 vpn-swan charon: 08[NET] sending packet: from 10.118.128.63[4500] to 86.2.169.107[4500] (104 bytes)
> Jun 25 17:23:29 vpn-swan charon: 10[NET] received packet: from 86.2.169.107[4500] to 10.118.128.63[4500] (136 bytes)
> Jun 25 17:23:29 vpn-swan charon: 10[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> Jun 25 17:23:29 vpn-swan charon: 10[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:30 vpn-swan charon: 09[MGR] ignoring request with ID 4, already processing
> Jun 25 17:23:30 vpn-swan charon: 10[CFG] received RADIUS Access-Reject from server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:30 vpn-swan charon: 10[IKE] RADIUS authentication of 'test.user' failed
> Jun 25 17:23:30 vpn-swan charon: 10[IKE] EAP method EAP_MSCHAPV2 failed for peer 192.168.1.235
> Jun 25 17:23:30 vpn-swan charon: 10[ENC] generating IKE_AUTH response 4 [ EAP/FAIL ]
>
> On JumpCloud’s side, we have the error:
>
> mfa: multifactor authentication required; not supported for PEAP/MS-CHAP
>
> We have rightauth set to eap-radius, but I’m yet to find a way of changing the EAP method. Does anyone have strongSwan + MFA working for macOS clients or can anyone point me in the right direction, please?
>
> References:
>
> https://support.jumpcloud.com/support/s/article/Logging-in-to-RADIUS-with-TOTP-MFA
>
> https://support.jumpcloud.com/support/s/article/configuring-a-wireless-access-point-wap-vpn-or-router-for-jumpclouds-radius1-2019-08-21-10-36-47
>
> Many thanks,
>
> Mike



hi,


if you want to set up your own RADIUS server, I'd recommend FreeRADIUS.
Setup otp see:


https://wiki.freeradius.org/guide/multiOTP-HOWTO



Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



More information about the Users mailing list