[strongSwan] IKEv2 + MFA with RADIUS

Tue Jun 29 16:11:59 CEST 2021

Hi,

We use JumpCloud as our directory (as-a-service), which also gives us a RADIUS server to authenticate against. We have this working fine (without the MFA) for user authentication against JumpCloud’s RADIUS using the built-in macOS VPN client (IKEv2), but having trouble when enabling MFA on JumpCloud’s side.

Their documentation states that MSCHAPv2 is not supported for MFA-enabled VPN connections, and they recommend EAP-TTLS/PAP. When connecting, it should be a case of entering username and password with TOTP separated by a comma e.g. MyB at dPa33word,1203456.

When attempting to connect, /var/log/syslog shows:

Jun 25 17:23:29 talon-swan charon: 07[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jun 25 17:23:29 vpn-swan charon: 07[IKE] received EAP identity 'test.user'
Jun 25 17:23:29 vpn-swan charon: 07[CFG] RADIUS server 'eu1.radius.jumpcloud.com' is candidate: 210
Jun 25 17:23:29 talon-swan charon: 07[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com'
Jun 25 17:23:29 vpn-swan charon: 07[CFG] received RADIUS Access-Challenge from server 'eu1.radius.jumpcloud.com'
Jun 25 17:23:29 vpn-swan charon: 07[IKE] initiating EAP_MD5 method (id 0x01)
Jun 25 17:23:29 vpn-swan charon: 07[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
Jun 25 17:23:29 vpn-swan charon: 07[NET] sending packet: from 10.118.128.63[4500] to 86.2.169.107[4500] (83 bytes)
Jun 25 17:23:29 vpn-swan charon: 08[NET] received packet: from 86.2.169.107[4500] to 10.118.128.63[4500] (72 bytes)
Jun 25 17:23:29 vpn-swan charon: 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
Jun 25 17:23:29 vpn-swan charon: 08[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com'
Jun 25 17:23:29 vpn-swan charon: 08[CFG] received RADIUS Access-Challenge from server 'eu1.radius.jumpcloud.com'
Jun 25 17:23:29 vpn-swan charon: 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jun 25 17:23:29 vpn-swan charon: 08[NET] sending packet: from 10.118.128.63[4500] to 86.2.169.107[4500] (104 bytes)
Jun 25 17:23:29 vpn-swan charon: 10[NET] received packet: from 86.2.169.107[4500] to 10.118.128.63[4500] (136 bytes)
Jun 25 17:23:29 vpn-swan charon: 10[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jun 25 17:23:29 vpn-swan charon: 10[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com'
Jun 25 17:23:30 vpn-swan charon: 09[MGR] ignoring request with ID 4, already processing
Jun 25 17:23:30 vpn-swan charon: 10[CFG] received RADIUS Access-Reject from server 'eu1.radius.jumpcloud.com'
Jun 25 17:23:30 vpn-swan charon: 10[IKE] RADIUS authentication of 'test.user' failed
Jun 25 17:23:30 vpn-swan charon: 10[IKE] EAP method EAP_MSCHAPV2 failed for peer 192.168.1.235
Jun 25 17:23:30 vpn-swan charon: 10[ENC] generating IKE_AUTH response 4 [ EAP/FAIL ]

On JumpCloud’s side, we have the error:

mfa: multifactor authentication required; not supported for PEAP/MS-CHAP

We have rightauth set to eap-radius, but I’m yet to find a way of changing the EAP method. Does anyone have strongSwan + MFA working for macOS clients or can anyone point me in the right direction, please?

References:

https://support.jumpcloud.com/support/s/article/Logging-in-to-RADIUS-with-TOTP-MFA

https://support.jumpcloud.com/support/s/article/configuring-a-wireless-access-point-wap-vpn-or-router-for-jumpclouds-radius1-2019-08-21-10-36-47

Many thanks,

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210629/5c967298/attachment.html>