Hi, We use JumpCloud as our directory (as-a-service), which also gives us a RADIUS server to authenticate against. We have this working fine (without the MFA) for user authentication against JumpCloud’s RADIUS using the built-in macOS VPN client (IKEv2), but having trouble when enabling MFA on JumpCloud’s side.
Their documentation states that MSCHAPv2 is not supported for MFA-enabled VPN connections, and they recommend EAP-TTLS/PAP. When connecting, it should be a case of entering username and password with TOTP separated by a comma e.g. MyB@dPa33word,1203456. When attempting to connect, /var/log/syslog shows: Jun 25 17:23:29 talon-swan charon: 07[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Jun 25 17:23:29 vpn-swan charon: 07[IKE] received EAP identity 'test.user' Jun 25 17:23:29 vpn-swan charon: 07[CFG] RADIUS server 'eu1.radius.jumpcloud.com' is candidate: 210 Jun 25 17:23:29 talon-swan charon: 07[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com' Jun 25 17:23:29 vpn-swan charon: 07[CFG] received RADIUS Access-Challenge from server 'eu1.radius.jumpcloud.com' Jun 25 17:23:29 vpn-swan charon: 07[IKE] initiating EAP_MD5 method (id 0x01) Jun 25 17:23:29 vpn-swan charon: 07[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ] Jun 25 17:23:29 vpn-swan charon: 07[NET] sending packet: from 10.118.128.63[4500] to 86.2.169.107[4500] (83 bytes) Jun 25 17:23:29 vpn-swan charon: 08[NET] received packet: from 86.2.169.107[4500] to 10.118.128.63[4500] (72 bytes) Jun 25 17:23:29 vpn-swan charon: 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ] Jun 25 17:23:29 vpn-swan charon: 08[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com' Jun 25 17:23:29 vpn-swan charon: 08[CFG] received RADIUS Access-Challenge from server 'eu1.radius.jumpcloud.com' Jun 25 17:23:29 vpn-swan charon: 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Jun 25 17:23:29 vpn-swan charon: 08[NET] sending packet: from 10.118.128.63[4500] to 86.2.169.107[4500] (104 bytes) Jun 25 17:23:29 vpn-swan charon: 10[NET] received packet: from 86.2.169.107[4500] to 10.118.128.63[4500] (136 bytes) Jun 25 17:23:29 vpn-swan charon: 10[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Jun 25 17:23:29 vpn-swan charon: 10[CFG] sending RADIUS Access-Request to server 'eu1.radius.jumpcloud.com' Jun 25 17:23:30 vpn-swan charon: 09[MGR] ignoring request with ID 4, already processing Jun 25 17:23:30 vpn-swan charon: 10[CFG] received RADIUS Access-Reject from server 'eu1.radius.jumpcloud.com' Jun 25 17:23:30 vpn-swan charon: 10[IKE] RADIUS authentication of 'test.user' failed Jun 25 17:23:30 vpn-swan charon: 10[IKE] EAP method EAP_MSCHAPV2 failed for peer 192.168.1.235 Jun 25 17:23:30 vpn-swan charon: 10[ENC] generating IKE_AUTH response 4 [ EAP/FAIL ] On JumpCloud’s side, we have the error: mfa: multifactor authentication required; not supported for PEAP/MS-CHAP We have rightauth set to eap-radius, but I’m yet to find a way of changing the EAP method. Does anyone have strongSwan + MFA working for macOS clients or can anyone point me in the right direction, please? References: https://support.jumpcloud.com/support/s/article/Logging-in-to-RADIUS-with-TOTP-MFA https://support.jumpcloud.com/support/s/article/configuring-a-wireless-access-point-wap-vpn-or-router-for-jumpclouds-radius1-2019-08-21-10-36-47 Many thanks, Mike
