Windows 10 VPN Client / pfSense IPsec with EAP-RADIUS
I'm trying to configure a Mobile IPsec VPN for use with Windows 10 Clients. Initially I followed the guide here: https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
I was able to get the VPN working using a pre-shared key defined in the IPsec menu. I don't really like having to define pre-shared keys so I decided to try authenticating users against my AD Server using NPS (Windows Server 2016).
I setup the authentication server in pfSense and I'm able to successfully authenticate using a Domain User Name and Password in the authentication diagnostics. I'm having trouble figuring out the right way to configure pfSense to work nicely with the built-in VPN client in Windows 10.
At first I tried to continue using MS-CHAPv2, however I've now realized that this only works when using a pre-shared key. Based on what I've read it seems EAP-RADIUS would be the correct mode, unfortunately it appears that the Windows 10 VPN client does not support this mode.
Any suggestions on other clients or ways to get the VPN to play nicely with the built-in Windows 10 client?
EAP-RADIUS is just EAP-MSCHAPv2 with RADIUS on the backend. If it doesn't work, the most likely problem is that our NPS config is not setup to allow EAP properly.
See https://www.netgate.com/docs/pfsense/book/thirdparty/radius-authentication-with-windows-server.html#adding-a-network-policy for something to check against