OpenVPN +NPS Radius (windows) with SMS/Phone App Code
-
Hi,
I have a working VPN which works fine for phone call and push notifications, if my MFA default is set to either of these. The client im using is viscosity but have also tested with openvpn client.
Overview of the setup
- User Enter Username + Password
- Pfsense with OpenVPN (Configured for PAP - Radius)
- Radius server (Windows NPS with Azure MFA Extension configured)
- Push or Call is sent to users device, accept and VPN is connected.
I would also like to add use for the phone App code / SMS / (Hardware Token at some point), but am having issues in trying to make this work.
- User Enter Username + Password
- SMS is sent to users phone
- How do I get the VPN Client to display a prompt asking for the access challenge code.
- I can see from the pfsense packet capture, that from the radius server an access-challenge with a reply attribute is being sent to the openVPN. But no additional dialogue is sent to the user client to enter this information.
p.s. I have read something about the dynamic challenge protocol, but am not sure on how to honestly make this work.
Thanks
Pat -
Hi Pat,
Did you find out any solution for sms authentication ?
I implemented the same environment like you, but I only could authentication with microsoft app approved.
-
Hi Danilo
Unfortunalty I could not get this to work. I do recall that after having some conversations with MS, there was known issue with the the NPS azure extension working with sms, in this scenerio.
I decided that phonecalls and Push notifications, was fine for my use case, and we enforced all users to set there default MFA to Phone Call or Microsoft Push Notifications.
We have not had issues since I enforced this as a requirement, so have not needed to investigate this further.
Thanks
Pat -
Hi Pat,
I have a question,
I created my environment and I'm doing the homologation but the openvpn stay reconnect and request every time the mfa authentication.
Do you know how can I make to disable this reconnection or reconnect every after long time ?
Tks
-
@danilo-ribeiro when you say you get the request each time, I presume this is after a disconnect from the client has occurred.
In the advance configuration > Custom options section of your openVPN server config add the following line. This allows in my environment users to be connected for 10 hours.reneg-sec 36000;
-
Thank you very much
Now It´s working fine.