• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSec IKEv2 with EAP-RADIUS VPN - Azure Multi-Factor-Authentication

Scheduled Pinned Locked Moved IPsec
5 Posts 4 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Stoy
    last edited by Dec 2, 2016, 10:30 AM

    Hi All,

    Recently installed and testing pfSense and I am loving it after being an ISA Server / TMG Server veteran for over 10 years.

    I am having problems configuring my client VPN connection, I have followed the guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    Then switched the authentication mode to RADIUS in this guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS

    My RADIUS server has Microsoft's Multi-Factor Authentication Server (formerly Azure Authenticator) installed on it which basically sends a push notification to mobile clients. I have added the pfSense LAN IP address into the RADIUS Authentication Clients, then tested the authentication from pfSense > Diagnostics > Authentication. The push notification comes through instantly and succeeds authentication.

    However when I am trying to connect to the VPN from a remote location (Windows 10) using the same username and password, I am getting "Verifying your sign-in info" followed by "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."

    Viewing the IPSec Firewall logs on pfSense I am receiving this error log:

    Dec 2 10:26:34 charon 14[ENC] <con1|6>generating IKE_AUTH response 2 [ EAP/FAIL ]
    Dec 2 10:26:34 charon 14[IKE] <con1|6>initiating EAP_RADIUS method failed
    Dec 2 10:26:34 charon 14[CFG] <con1|6>RADIUS Access-Request timed out after 4 attempts
    Dec 2 10:26:32 charon 09[MGR] ignoring request with ID 2, already processing
    Dec 2 10:26:28 charon 14[CFG] <con1|6>retransmit 3 of RADIUS Access-Request (timeout: 5.5s)
    Dec 2 10:26:25 charon 09[MGR] ignoring request with ID 2, already processing
    Dec 2 10:26:25 charon 14[CFG] <con1|6>retransmit 2 of RADIUS Access-Request (timeout: 3.9s)
    Dec 2 10:26:22 charon 14[CFG] <con1|6>retransmit 1 of RADIUS Access-Request (timeout: 2.8s)
    Dec 2 10:26:22 charon 09[MGR] ignoring request with ID 2, already processing
    Dec 2 10:26:21 charon 09[MGR] ignoring request with ID 2, already processing
    Dec 2 10:26:20 charon 14[CFG] <con1|6>sending RADIUS Access-Request to server 'edge_radius'

    This indicated (to me at least…) that the RADIUS is for some reason timing out, when it works fine in Diagnostics > Authentication.

    Does anyone know how I can fix this? Help greatly appreciated.

    Kind Regards,
    Stoy</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6>

    1 Reply Last reply Reply Quote 0
    • D
      datdamnmachine
      last edited by Apr 10, 2017, 6:00 PM Apr 10, 2017, 5:42 PM

      EDIT:  I decided to start a new topic here:

      https://forum.pfsense.org/index.php?topic=128800.0

      I decided to reply to this instead of starting a new topic since I'm having the same issue.  Here are my logs:

      
      Apr 10 10:31:17	charon		08[CFG] <con1|1> sending RADIUS Access-Request to server 'radius_ipsec_1'
      Apr 10 10:31:18	charon		12[MGR] ignoring request with ID 2, already processing
      Apr 10 10:31:19	charon		12[MGR] ignoring request with ID 2, already processing
      Apr 10 10:31:22	charon		12[MGR] ignoring request with ID 2, already processing
      Apr 10 10:31:30	charon		09[MGR] ignoring request with ID 2, already processing
      Apr 10 10:31:32	charon		08[CFG] <con1|1> retransmit 1 of RADIUS Access-Request (timeout: 2.8s)
      Apr 10 10:31:35	charon		08[CFG] <con1|1> retransmit 2 of RADIUS Access-Request (timeout: 3.9s)
      Apr 10 10:31:39	charon		08[CFG] <con1|1> retransmit 3 of RADIUS Access-Request (timeout: 5.5s)
      Apr 10 10:31:44	charon		08[CFG] <con1|1> RADIUS Access-Request timed out after 4 attempts
      Apr 10 10:31:44	charon		08[IKE] <con1|1> initiating EAP_RADIUS method failed
      Apr 10 10:31:44	charon		08[ENC] <con1|1> generating IKE_AUTH response 2 [ EAP/FAIL 
      [/code]
      
      I noticed that this occurs when I have both OpenVPN and Mobile IPsec using radius configured.  Even when I have one utilizing one radius server and the other, the second radius server, it still causes this error.  I get the same Windows message the above user gets:
      
      [code]
      Verifying your sign-in info" followed by "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
      [/code]
      
      I even tried using Local Database authentication on the OpenVPN server connection.  It failed.  The only way to get IPsec with radius working is to disable the OpenVPN server.
      
      I can only assume that only one VPN configuration can use radius at a single time.  Are there any workarounds to this?</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1>
      
      1 Reply Last reply Reply Quote 0
      • D
        datdamnmachine
        last edited by Apr 12, 2017, 7:40 AM

        I fixed my issue.  Please see this thread below for my solution:

        https://forum.pfsense.org/index.php?topic=128800.0

        1 Reply Last reply Reply Quote 0
        • L
          ltctech
          last edited by Mar 21, 2018, 11:31 PM

          If you're still looking to get Azure MFA working with EAP-RADIUS: https://forum.pfsense.org/index.php?topic=145526.0

          I've also found that you have to turn off accounting and only allow authentication in System -> User Manager -> Authentication Servers. Otherwise strongSwan starts lagging.

          1 Reply Last reply Reply Quote 0
          • V
            viktor_g Netgate
            last edited by Jan 2, 2021, 1:49 PM

            feature request created: https://redmine.pfsense.org/issues/11211

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              [[user:consent.lead]]
              [[user:consent.not_received]]