Ipsec 2FA
-
I'm trying to work out if it is possible to configure IPSec to use some form of 2FA.
I keep coming across this guide https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa but this only works for Openvpn. Have configured free radius so it authenticates the users created there and works perfectly with google authenticator in the Diagnostics / Authentication checker page.
I have tried setting up IPSec so it uses EAP-RADIUS as the authentication method but it fails authentication. Am i just out of luck here or is there a way to make this work ?
Is there any other way of getting 2FA on IPSec.
-
@jeffsmith82 I don’t think you can do OTP generally with IPsec as that requires second channel auth in both whatever Mobile IPsec client you are using, and integration i pfSense IPsec. I think pfSense IPSec has some provisions for it, but I never reda about anyone configuring and using it.
I do lots of 2FA with pfSense Mobile IPsec, but thats using Microsofts Azure MFA plugin for a Microsoft Radius server that authenticates the mobile users (requireing an “approve” in the microsoft authenticator app by users, before Radius says “approved to pfSense)
-
@keyser Is there a guide to set that up ? sounds like the sort of thing i'm after.
-
@jeffsmith82 It requires nothing special. You just setup Mobile IPsec in pfSense pr. Any available guide - with authentication using Radius.
On the Radius you install the Azure MFA plugin and register that for MFA authentication in the wanted Azure AD tennant. The two things work completely independant of each other - the trick is that Radius will only complete the authencation when the user has approved in their authenticator app.
The only “non-standard” setup in pfSense is that you will need to configure the Mobile Radius auth part with a long timeout as it usually takes a little while for users to get the notification and login/approve on their phone.
