Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN +NPS Radius (windows) with SMS/Phone App Code

    OpenVPN
    2
    6
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pat1
      last edited by

      Hi,

      I have a working VPN which works fine for phone call and push notifications, if my MFA default is set to either of these. The client im using is viscosity but have also tested with openvpn client.

      Overview of the setup

      1. User Enter Username + Password
      2. Pfsense with OpenVPN (Configured for PAP - Radius)
      3. Radius server (Windows NPS with Azure MFA Extension configured)
      4. Push or Call is sent to users device, accept and VPN is connected.

      I would also like to add use for the phone App code / SMS / (Hardware Token at some point), but am having issues in trying to make this work.

      1. User Enter Username + Password
      2. SMS is sent to users phone
      3. How do I get the VPN Client to display a prompt asking for the access challenge code.
      4. I can see from the pfsense packet capture, that from the radius server an access-challenge with a reply attribute is being sent to the openVPN. But no additional dialogue is sent to the user client to enter this information.

      p.s. I have read something about the dynamic challenge protocol, but am not sure on how to honestly make this work.

      Thanks
      Pat

      1 Reply Last reply Reply Quote 0
      • D
        Danilo Ribeiro
        last edited by

        Hi Pat,

        Did you find out any solution for sms authentication ?

        I implemented the same environment like you, but I only could authentication with microsoft app approved.

        1 Reply Last reply Reply Quote 0
        • P
          pat1
          last edited by

          Hi Danilo

          Unfortunalty I could not get this to work. I do recall that after having some conversations with MS, there was known issue with the the NPS azure extension working with sms, in this scenerio.

          I decided that phonecalls and Push notifications, was fine for my use case, and we enforced all users to set there default MFA to Phone Call or Microsoft Push Notifications.

          We have not had issues since I enforced this as a requirement, so have not needed to investigate this further.

          Thanks
          Pat

          1 Reply Last reply Reply Quote 0
          • D
            Danilo Ribeiro
            last edited by

            Hi Pat,

            I have a question,

            I created my environment and I'm doing the homologation but the openvpn stay reconnect and request every time the mfa authentication.

            Do you know how can I make to disable this reconnection or reconnect every after long time ?

            Tks

            P 1 Reply Last reply Reply Quote 0
            • P
              pat1 @Danilo Ribeiro
              last edited by

              @danilo-ribeiro when you say you get the request each time, I presume this is after a disconnect from the client has occurred.
              In the advance configuration > Custom options section of your openVPN server config add the following line. This allows in my environment users to be connected for 10 hours.

              reneg-sec 36000;

              D 1 Reply Last reply Reply Quote 1
              • D
                Danilo Ribeiro @pat1
                last edited by

                Thank you very much

                Now It´s working fine.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.