VPN IPSec/IKEV2 + Active Directory Auth + 2fA
-
Hi guys,
We were able to make two-factor authentication work with IPSec/IKEV2 VPN on PfSense via the Azure NPS extension sending the notification to the Microsoft Authenticator on the users smartphones: https://docs.microsoft.com/en-us/azure/active -directory/authentication/howto-mfa-nps-extension
Basic scheme:
Client -> PfSense VPN IPSec/IKEV2 -> MS Radius NPS -> AD -> 2fA Azure NPS extension -> MS Authenticator (user cel)
The few changes in PfSense basically refer to increasing the timeout in the "Mobile Clients" settings. Everything else is configured in Radius NPS and the Azure console.
Unfortunately, the organization found the licensing costs of Azure MFA too high for hundreds of mobile users.
So I would like to know if anyone has integrated MFA into their authentication infrastructure in a similar way, with low impact, but more affordable cloud 2FA service licensing costs.
Thank you.