Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec VPN with Active Directory RADIUS/NPS and 2FA

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 745 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      codechurn
      last edited by

      I've configured an IPSec VPN as documented here. After some help from the community, I was able to make the configuration work with a standard Windows 11 client.

      I've now set down the path of trying to see if I can incorporate 2FA using the NPS extension. I've followed the directions at on how to integrate Network Policy Server (NPS) with Microsoft Entra multifactor authentication.

      After installing the NPS extension, I can no longer successfully authenticate against NPS from the Diagnostics/Authentication page with RADIUS. Looking at the logs on the firewall I see:

      323023ab-e202-49fd-a394-a64b7e2c765b-image.png

      I however never get the Authenticator prompt to approve my sign-on in the app. Looking at the logs on the NPS Server I see:

      5a3f0c10-fb70-4875-bce1-f880cd034827-image.png

      If I disable the NPS Extension, RADIUS sign in (and subsequent the VPN session) works fine. I can confirm that 2FA via the authenticator app is working without issue by attempting to sign into portal.azure.com as that account and going through the MFA process.

      Any thoughts on wheret to look or what to look at?

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @codechurn
        last edited by

        @codechurn You need to configure the radius timeout in pfSense in two places actually:

        1: Under SYSTEM -> USER MANAGER -> Authentication Servers: You need to fill out the empty “authentication timeout” to fx. 60sec to allow the pfsense system connection to wait for the user to approve the wto factor login.

        2: You also need to configure the IPSec VPN component to wait for a radius answer. This is done under VPN -> IPSEC -> Mobile Client -> “Advanced Radius parameters” which you basically just need to tick and setup for fx a 60sec timeout and one retry (instead of 4)

        You faillure happens because of the very quick default radius timeout (couple of secs) pfsense has if this is not configured.

        Love the no fuss of using the official appliances :-)

        C 1 Reply Last reply Reply Quote 1
        • C
          codechurn @keyser
          last edited by

          @keyser

          I bumped up the Authentication Timeout for Radius
          7a998b27-38a8-456f-9452-83cd9d4b5acb-image.png

          However, when I attempt to test RADIUS authentication via the Diagnostics | Authentication menu it still fails. I am assuming this should work and I should get a 2FA push notification on my Authenticator app.

          2350ae22-4329-4beb-b350-618c168d43ce-image.png

          8e9b981a-b493-41de-8c4c-d0c65cb66e89-image.png

          Why is there now error in the above message?

          Looking at the logs on the NPS server I see:

          ec8e3898-aec8-43bd-9e52-28c6b348e758-image.png

          af84746c-ad07-4b8c-bc2b-bbab1a675100-image.png

          325a72b5-a9b3-4b90-bab2-05c88b9cffbd-image.png

          I feel like I am missing something here.

          C 1 Reply Last reply Reply Quote 0
          • C
            codechurn @codechurn
            last edited by

            I found the missing link!

            On the NPS server, I had to set the following registry entry:

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMf
Create the following String/Value pair:
Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP
Value = FALSE

            Then I had to restart the Network Policy Service and BINGO! I got the approve sign-in notification on my phone when I tested the RADIUS logon. Because I had number matching turned on in my tenant, the extension was falling back to TOTP which obviously won't work with MSCHAPv2.

            See this link:
            https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match#nps-extension

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.