Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 Mobile Client VPN - Authorised devices only

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 38 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bradsm87
      last edited by

      I've got an environment where I'm using IKEv2 Mobile Clients with EAP-RADIUS with a local AD server and a Duo proxy for an MFA prompt. It's excellent. I use ACME certificates to auto-renew and it just works.

      We have a new requirement where the VPN must be locked down to approved client devices only. Is there a way I can implement this in pfSense? I understand that client certificates may be an option but I just don't fully understand it and how I wouldn't lose my existing username and password prompt and RADIUS integration.

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK Offline
        keyser Rebel Alliance @bradsm87
        last edited by

        @bradsm87 I assume we are talking about the clients using the native IKEv2 client built into the operation system (Windows, MacOS, Linux, Android and IOS)?

        Locking those down to approved clients only requires a change from EAP-RADIUS (MSchapv2) to EAP-TLS which is Client certificate based authentication as far as I know. PfSense IKEv2 and the OS Built-in clients does not support combining multiple authentication models concurrently like fx. MSchapv2 (username/password) and TLS or PSK (certificates or preshared key auth).
        So the only way to “preapprove” clients is by changing the authentication models to EAP-TLS and use enrolled client/user certificates on the VPN clients. This means you need to have more control over the clients to deploy a client/user certificate on them to be used for VPN.
        Usually this is done using a MDM like fx. Microsoft Intune

        Alternatively you could look into using OpenVPN instead as that does support multiple authentication models concurrently - fx. Clients need a preshared key or certificate + being able to pass username/password authentication. But then you need control over the clients in order to deploy the VPN Client…..

        Love the no fuss of using the official appliances :-)

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.