Hi, I've managed to get so far with trying to implement a strongSwan VPN server with MFA similar to what Azure do https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-dir-radius <https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-dir-radius> but I get stuck with using EAP. As commented by Azure : The MFA Server only supports PAP (password authentication protocol) and MSCHAPv2 (Microsoft's Challenge-Handshake Authentication Protocol) RADIUS protocols when acting as a RADIUS server. Other protocols, like EAP (extensible authentication protocol), can be used when the MFA server acts as a RADIUS proxy to another RADIUS server that supports that protocol.
This is what I have so far with strongSwan and freeradius log below. I have freeradius configured with google-authenticator using PAM using this guide http://www.supertechguy.com/help/security/freeradius-google-auth <http://www.supertechguy.com/help/security/freeradius-google-auth> which works when testing from localhost, but I think the EAP from the VPN is not sending through the password or at least it is but in md4. Has anyone managed to set up a VPN server with MFA? #!/bin/bash sed -i 's/#NTP=/NTP=169.254.169.123/' /etc/systemd/timesyncd.conf # apt answers echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections # install dependencies apt-get install -y build-essential libsystemd-dev pkg-config iptables-persistent # install strongswan wget -nv https://download.strongswan.org/strongswan-5.6.3.tar.bz2 tar xjf strongswan-5.6.3.tar.bz2; cd strongswan* ./configure --prefix=/usr --sysconfdir=/etc \ --enable-systemd --enable-swanctl \ --disable-charon --disable-stroke --disable-scepclient \ --enable-eap-identity --enable-eap-mschapv2 --enable-md4 \ --enable-eap-radius make make install # configure strongswan cat <<'EOF' > /etc/strongswan.d/charon/eap-radius.conf eap-radius { load = yes accounting = yes nas_identifier = vpn-server-1 servers { primary { address = 172.31.19.90 # TODO: change to DNS secret = KFdHr0sgw$kOfFgh # /etc/freeradius/clients.conf } } xauth { pinprofile { nextpin = Please enter the next Code from your scratch list: } passandcode { password = Please enter your password: passcode = Please enter multi-factor authentication code: } } } EOF cat <<'EOF' > /etc/swanctl/conf.d/conn-radius.conf connections { radius { version = 2 send_cert = always encap = yes pools = pool1 unique = replace proposals = aes256-sha256-prfsha256-ecp256-modp2048 local { id = vpnserver certs = vpnserver.crt } remote { auth = eap-radius eap_id = %any } remote-1 { auth = xauth-radius:pinprofile } children { net { local_ts = 172.31.0.0/16 } } } } EOF The freeradius server log has the following: rad_recv: Access-Request packet from host 172.31.19.40 port 56472, id=44, length=140 User-Name = "test" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 4 NAS-Port-Id = "radius" NAS-IP-Address = 172.31.19.40 Called-Station-Id = "172.31.19.40[4500]" Calling-Station-Id = "148.252.225.26[46452]" EAP-Message = 0x020000090174657374 NAS-Identifier = "vpn-server-1" Message-Authenticator = 0x38b1665e5c973bce156a9b8ec63d40a0 Mon Jul 9 15:29:42 2018 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Mon Jul 9 15:29:42 2018 : Info: +group authorize { Mon Jul 9 15:29:42 2018 : Info: ++[preprocess] = ok Mon Jul 9 15:29:42 2018 : Info: ++[chap] = noop Mon Jul 9 15:29:42 2018 : Info: ++[mschap] = noop Mon Jul 9 15:29:42 2018 : Info: ++[digest] = noop Mon Jul 9 15:29:42 2018 : Info: [suffix] No '@' in User-Name = "test", looking up realm NULL Mon Jul 9 15:29:42 2018 : Info: [suffix] No such realm "NULL" Mon Jul 9 15:29:42 2018 : Info: ++[suffix] = noop Mon Jul 9 15:29:42 2018 : Info: [eap] EAP packet type response id 0 length 9 Mon Jul 9 15:29:42 2018 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Mon Jul 9 15:29:42 2018 : Info: ++[eap] = updated Mon Jul 9 15:29:42 2018 : Info: [files] users: Matched entry DEFAULT at line 1 Mon Jul 9 15:29:42 2018 : Info: ++[files] = ok Mon Jul 9 15:29:42 2018 : Info: ++[expiration] = noop Mon Jul 9 15:29:42 2018 : Info: ++[logintime] = noop Mon Jul 9 15:29:42 2018 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Mon Jul 9 15:29:42 2018 : Info: ++[pap] = noop Mon Jul 9 15:29:42 2018 : Info: +} # group authorize = updated Mon Jul 9 15:29:42 2018 : Info: Found Auth-Type = PAM Mon Jul 9 15:29:42 2018 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Mon Jul 9 15:29:42 2018 : Info: +group authenticate { Mon Jul 9 15:29:42 2018 : Auth: rlm_pam: Attribute "User-Password" is required for authentication. Mon Jul 9 15:29:42 2018 : Info: ++[pam] = invalid Mon Jul 9 15:29:42 2018 : Info: +} # group authenticate = invalid Mon Jul 9 15:29:42 2018 : Info: Failed to authenticate the user. Mon Jul 9 15:29:42 2018 : Auth: Login incorrect: [test] (from client local port 4 cli 148.252.225.26[46452]) Mon Jul 9 15:29:42 2018 : Info: Using Post-Auth-Type Reject Mon Jul 9 15:29:42 2018 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Mon Jul 9 15:29:42 2018 : Info: +group REJECT { Mon Jul 9 15:29:42 2018 : Info: [eap] Request was previously rejected, inserting EAP-Failure Mon Jul 9 15:29:42 2018 : Info: ++[eap] = updated Mon Jul 9 15:29:42 2018 : Info: [attr_filter.access_reject] expand: %{User-Name} -> test Mon Jul 9 15:29:42 2018 : Debug: attr_filter: Matched entry DEFAULT at line 11 Mon Jul 9 15:29:42 2018 : Info: ++[attr_filter.access_reject] = updated Mon Jul 9 15:29:42 2018 : Info: +} # group REJECT = updated Mon Jul 9 15:29:42 2018 : Info: Delaying reject of request 0 for 1 seconds Mon Jul 9 15:29:42 2018 : Debug: Going to the next request Mon Jul 9 15:29:42 2018 : Debug: Waking up in 0.9 seconds. Mon Jul 9 15:29:43 2018 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 44 to 172.31.19.40 port 56472 EAP-Message = 0x04000004 Message-Authenticator = 0x00000000000000000000000000000000 Kind regards,. Christian
