IPSec IKEv2 with EAP-RADIUS VPN - Azure Multi-Factor-Authentication

Stoy

Hi All,

Recently installed and testing pfSense and I am loving it after being an ISA Server / TMG Server veteran for over 10 years.

I am having problems configuring my client VPN connection, I have followed the guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

Then switched the authentication mode to RADIUS in this guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS

My RADIUS server has Microsoft's Multi-Factor Authentication Server (formerly Azure Authenticator) installed on it which basically sends a push notification to mobile clients. I have added the pfSense LAN IP address into the RADIUS Authentication Clients, then tested the authentication from pfSense > Diagnostics > Authentication. The push notification comes through instantly and succeeds authentication.

However when I am trying to connect to the VPN from a remote location (Windows 10) using the same username and password, I am getting "Verifying your sign-in info" followed by "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."

Viewing the IPSec Firewall logs on pfSense I am receiving this error log:

Dec 2 10:26:34 charon 14[ENC] <con1|6>generating IKE_AUTH response 2 [ EAP/FAIL ]
Dec 2 10:26:34 charon 14[IKE] <con1|6>initiating EAP_RADIUS method failed
Dec 2 10:26:34 charon 14[CFG] <con1|6>RADIUS Access-Request timed out after 4 attempts
Dec 2 10:26:32 charon 09[MGR] ignoring request with ID 2, already processing
Dec 2 10:26:28 charon 14[CFG] <con1|6>retransmit 3 of RADIUS Access-Request (timeout: 5.5s)
Dec 2 10:26:25 charon 09[MGR] ignoring request with ID 2, already processing
Dec 2 10:26:25 charon 14[CFG] <con1|6>retransmit 2 of RADIUS Access-Request (timeout: 3.9s)
Dec 2 10:26:22 charon 14[CFG] <con1|6>retransmit 1 of RADIUS Access-Request (timeout: 2.8s)
Dec 2 10:26:22 charon 09[MGR] ignoring request with ID 2, already processing
Dec 2 10:26:21 charon 09[MGR] ignoring request with ID 2, already processing
Dec 2 10:26:20 charon 14[CFG] <con1|6>sending RADIUS Access-Request to server 'edge_radius'

This indicated (to me at least…) that the RADIUS is for some reason timing out, when it works fine in Diagnostics > Authentication.

Does anyone know how I can fix this? Help greatly appreciated.

Kind Regards,
Stoy</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6>

datdamnmachine

EDIT:  I decided to start a new topic here:

https://forum.pfsense.org/index.php?topic=128800.0

I decided to reply to this instead of starting a new topic since I'm having the same issue.  Here are my logs:

Apr 10 10:31:17	charon		08[CFG] <con1|1> sending RADIUS Access-Request to server 'radius_ipsec_1'
Apr 10 10:31:18	charon		12[MGR] ignoring request with ID 2, already processing
Apr 10 10:31:19	charon		12[MGR] ignoring request with ID 2, already processing
Apr 10 10:31:22	charon		12[MGR] ignoring request with ID 2, already processing
Apr 10 10:31:30	charon		09[MGR] ignoring request with ID 2, already processing
Apr 10 10:31:32	charon		08[CFG] <con1|1> retransmit 1 of RADIUS Access-Request (timeout: 2.8s)
Apr 10 10:31:35	charon		08[CFG] <con1|1> retransmit 2 of RADIUS Access-Request (timeout: 3.9s)
Apr 10 10:31:39	charon		08[CFG] <con1|1> retransmit 3 of RADIUS Access-Request (timeout: 5.5s)
Apr 10 10:31:44	charon		08[CFG] <con1|1> RADIUS Access-Request timed out after 4 attempts
Apr 10 10:31:44	charon		08[IKE] <con1|1> initiating EAP_RADIUS method failed
Apr 10 10:31:44	charon		08[ENC] <con1|1> generating IKE_AUTH response 2 [ EAP/FAIL 
[/code]

I noticed that this occurs when I have both OpenVPN and Mobile IPsec using radius configured.  Even when I have one utilizing one radius server and the other, the second radius server, it still causes this error.  I get the same Windows message the above user gets:

[code]
Verifying your sign-in info" followed by "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
[/code]

I even tried using Local Database authentication on the OpenVPN server connection.  It failed.  The only way to get IPsec with radius working is to disable the OpenVPN server.

I can only assume that only one VPN configuration can use radius at a single time.  Are there any workarounds to this?</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1>

datdamnmachine

I fixed my issue.  Please see this thread below for my solution:

https://forum.pfsense.org/index.php?topic=128800.0

ltctech

If you're still looking to get Azure MFA working with EAP-RADIUS: https://forum.pfsense.org/index.php?topic=145526.0

I've also found that you have to turn off accounting and only allow authentication in System -> User Manager -> Authentication Servers. Otherwise strongSwan starts lagging.

viktor_g

feature request created: https://redmine.pfsense.org/issues/11211