Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec IKEv2 with EAP-RADIUS VPN - Azure Multi-Factor-Authentication

    IPsec
    4
    5
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stoy
      last edited by

      Hi All,

      Recently installed and testing pfSense and I am loving it after being an ISA Server / TMG Server veteran for over 10 years.

      I am having problems configuring my client VPN connection, I have followed the guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

      Then switched the authentication mode to RADIUS in this guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS

      My RADIUS server has Microsoft's Multi-Factor Authentication Server (formerly Azure Authenticator) installed on it which basically sends a push notification to mobile clients. I have added the pfSense LAN IP address into the RADIUS Authentication Clients, then tested the authentication from pfSense > Diagnostics > Authentication. The push notification comes through instantly and succeeds authentication.

      However when I am trying to connect to the VPN from a remote location (Windows 10) using the same username and password, I am getting "Verifying your sign-in info" followed by "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."

      Viewing the IPSec Firewall logs on pfSense I am receiving this error log:

      Dec 2 10:26:34 charon 14[ENC] <con1|6>generating IKE_AUTH response 2 [ EAP/FAIL ]
      Dec 2 10:26:34 charon 14[IKE] <con1|6>initiating EAP_RADIUS method failed
      Dec 2 10:26:34 charon 14[CFG] <con1|6>RADIUS Access-Request timed out after 4 attempts
      Dec 2 10:26:32 charon 09[MGR] ignoring request with ID 2, already processing
      Dec 2 10:26:28 charon 14[CFG] <con1|6>retransmit 3 of RADIUS Access-Request (timeout: 5.5s)
      Dec 2 10:26:25 charon 09[MGR] ignoring request with ID 2, already processing
      Dec 2 10:26:25 charon 14[CFG] <con1|6>retransmit 2 of RADIUS Access-Request (timeout: 3.9s)
      Dec 2 10:26:22 charon 14[CFG] <con1|6>retransmit 1 of RADIUS Access-Request (timeout: 2.8s)
      Dec 2 10:26:22 charon 09[MGR] ignoring request with ID 2, already processing
      Dec 2 10:26:21 charon 09[MGR] ignoring request with ID 2, already processing
      Dec 2 10:26:20 charon 14[CFG] <con1|6>sending RADIUS Access-Request to server 'edge_radius'

      This indicated (to me at least…) that the RADIUS is for some reason timing out, when it works fine in Diagnostics > Authentication.

      Does anyone know how I can fix this? Help greatly appreciated.

      Kind Regards,
      Stoy</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6>

      1 Reply Last reply Reply Quote 0
      • D
        datdamnmachine
        last edited by

        EDIT:  I decided to start a new topic here:

        https://forum.pfsense.org/index.php?topic=128800.0

        I decided to reply to this instead of starting a new topic since I'm having the same issue.  Here are my logs:

        
        Apr 10 10:31:17	charon		08[CFG] <con1|1> sending RADIUS Access-Request to server 'radius_ipsec_1'
        Apr 10 10:31:18	charon		12[MGR] ignoring request with ID 2, already processing
        Apr 10 10:31:19	charon		12[MGR] ignoring request with ID 2, already processing
        Apr 10 10:31:22	charon		12[MGR] ignoring request with ID 2, already processing
        Apr 10 10:31:30	charon		09[MGR] ignoring request with ID 2, already processing
        Apr 10 10:31:32	charon		08[CFG] <con1|1> retransmit 1 of RADIUS Access-Request (timeout: 2.8s)
        Apr 10 10:31:35	charon		08[CFG] <con1|1> retransmit 2 of RADIUS Access-Request (timeout: 3.9s)
        Apr 10 10:31:39	charon		08[CFG] <con1|1> retransmit 3 of RADIUS Access-Request (timeout: 5.5s)
        Apr 10 10:31:44	charon		08[CFG] <con1|1> RADIUS Access-Request timed out after 4 attempts
        Apr 10 10:31:44	charon		08[IKE] <con1|1> initiating EAP_RADIUS method failed
        Apr 10 10:31:44	charon		08[ENC] <con1|1> generating IKE_AUTH response 2 [ EAP/FAIL 
        [/code]
        
        I noticed that this occurs when I have both OpenVPN and Mobile IPsec using radius configured.  Even when I have one utilizing one radius server and the other, the second radius server, it still causes this error.  I get the same Windows message the above user gets:
        
        [code]
        Verifying your sign-in info" followed by "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
        [/code]
        
        I even tried using Local Database authentication on the OpenVPN server connection.  It failed.  The only way to get IPsec with radius working is to disable the OpenVPN server.
        
        I can only assume that only one VPN configuration can use radius at a single time.  Are there any workarounds to this?</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1>
        
        1 Reply Last reply Reply Quote 0
        • D
          datdamnmachine
          last edited by

          I fixed my issue.  Please see this thread below for my solution:

          https://forum.pfsense.org/index.php?topic=128800.0

          1 Reply Last reply Reply Quote 0
          • L
            ltctech
            last edited by

            If you're still looking to get Azure MFA working with EAP-RADIUS: https://forum.pfsense.org/index.php?topic=145526.0

            I've also found that you have to turn off accounting and only allow authentication in System -> User Manager -> Authentication Servers. Otherwise strongSwan starts lagging.

            1 Reply Last reply Reply Quote 0
            • viktor_gV
              viktor_g Netgate
              last edited by

              feature request created: https://redmine.pfsense.org/issues/11211

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.