IKEv2 Mobile Client VPN - Authorised devices only

bradsm87

I've got an environment where I'm using IKEv2 Mobile Clients with EAP-RADIUS with a local AD server and a Duo proxy for an MFA prompt. It's excellent. I use ACME certificates to auto-renew and it just works.

We have a new requirement where the VPN must be locked down to approved client devices only. Is there a way I can implement this in pfSense? I understand that client certificates may be an option but I just don't fully understand it and how I wouldn't lose my existing username and password prompt and RADIUS integration.

keyser

@bradsm87 I assume we are talking about the clients using the native IKEv2 client built into the operation system (Windows, MacOS, Linux, Android and IOS)?

Locking those down to approved clients only requires a change from EAP-RADIUS (MSchapv2) to EAP-TLS which is Client certificate based authentication as far as I know. PfSense IKEv2 and the OS Built-in clients does not support combining multiple authentication models concurrently like fx. MSchapv2 (username/password) and TLS or PSK (certificates or preshared key auth).
So the only way to “preapprove” clients is by changing the authentication models to EAP-TLS and use enrolled client/user certificates on the VPN clients. This means you need to have more control over the clients to deploy a client/user certificate on them to be used for VPN.
Usually this is done using a MDM like fx. Microsoft Intune

Alternatively you could look into using OpenVPN instead as that does support multiple authentication models concurrently - fx. Clients need a preshared key or certificate + being able to pass username/password authentication. But then you need control over the clients in order to deploy the VPN Client…..