Azure Multi-Factor Authentication Server with OpenVPN brief How-To
I have been having issues with a third party's installation of Azure Multi-Factor Authentication Server working with OpenVPN on pfsense. Since there wasn't a guide out here for configuring pfsense to work with Azure MFA, I figured I'd post "how I got it to work".
-I have never worked with Azure before, so I started by signing up for a free trial. Warning if you intend to do the same, they do require you to enter a method of payment.
-Also, I'm going to assume that you do NOT have a Multi-Factor Auth Provider already configured in Azure, and I am also assuming you are going to use an Active Directory NOT in the Azure cloud.
-When I installed the service onto a local server, I did so as a Domain Admin, I do knot know if that level of authorization is required, but I suspect it is.
-It should go without saying that whatever local server you connect this to will need access to the Internet - I didn't open anything special, I believe the internet connectivity is over TCP 443.
-This is only intended to get dial up to the end user working. Azure Multi-Factor has a userportal for signing people up, plus it can be back ended by RADIUS, LDAP, or AD. My suggestion is to start here and layer on additional settings and security that helps YOU sleep well at night.
Once I was logged in, I followed the instructions in this video: http://azure.microsoft.com/en-us/documentation/videos/multi-factor-authentication-server/
Those instructions amount to:
1. Log into the Azure management portal by going here http://azure.microsoft.com/ and clicking on the Portal link.
2. Once logged in, on the left hand side of the screen scroll down to and click Active Directory, then click on Multi-Factor Auth Providers in the right pane.
3. Click the +NEW button to add a new provider. You should see "Multi-Factor Auth Provider" somewhere to the right, and once you mouse over or click that, you can then click the "Quick Create".
4. Give the service a descriptive name, choose a billing model (that's up to you, don't know what to suggest), and set the Directory field to "Do not link a directory" then click "Create."
5. You should now see your new MFA server in your list, if you click on it you should now be able to click the "Manage" button at the bottom center of the window.
6. Once you are in the Manage interface, click "Download".
7. In the download area, click the "Generate Activation Credentials" button and record the credentials it shows you.
8. Now click "Download" to download the server software installation package. Preferably to the server you want to install the MFA service on :)
At this point, you have to have a windows box to install this on - I'm not going to go through a build for that. I loaded mine on a Server 2012 R2 install, and there was one BIG caveat that almost caught me out. The MFA server requires .net version 2.something. By default, Server 2012 r2 only has version 4.5.x ENABLED. In order to get access to .net 2.x, you need to go through the "Add Roles and Features" setup in Sever Manager and enable .NET 3.5. You cannot install it from the web on Server 2012 R2! YMMV on other Windows OS's.
9. Once you have .net 3.5 installed on the server, install the executable you downloaded from Azure.
10. Skip the wizard it offers and go directly to Activation.
11. Enter the credentials you generated on the Azure site and click Activate.
12. You will be asked to run another wizard - unless you are configuring more than one MFA server, just cancel this wizard.
13. At this point, the management console for the MFA server should launch.
I configured the server to read Active Directory. There is an automatic "sync to Active Directory" I did not get working, so I imported the users "manually." Which is still pretty automated.
First the directory:
14. Click Directory Integration, the select "Use Active Directory" radio button, check "include trusted domains" if you think you need it.
Now the users:
15. Click Users, the click the "Import from Active Directory" button.
16. In the "List" tab you can choose to view the directory either by Container Hierarchy or by Security Groups. I chose security groups and grabbed the group I wnated to be able to use OpenVPN with two factor.
17. **VERY IMPORTANT!**If you users don't have phone numbers in their AD profiles, after importing them you either need to edit the names you see here and add phone numbers, or you need to confugre the user portal. I did not configure the user portal since I only had 3 users. I just entered missing phone numbers.
Now to tell it to accept connections from pfsense via RADIUS
18.Once you have you users, close the user dialogue and click on RADIUS Authentication icon.
19. Tic the "Enable RADIUS Authentication" checkbox, then on the Client tab click "Add".
20. Fill in the IP address of your pfsense box and the ports you are going to use - probably 1812 for Authentication and 1813 for Accounting. Give it a name, a strong shared secret (remember this for the pfsense confi) and tick the "Require Multi-Factor User Authentication to mach" box. Click OK.
If you use anything other than the ports offered and you have Windows firewall on (and you SHOULD have it on), you will need to create a Windws Firewall rule to allow inbound traffic to that port.
At this point, you should be able to go to your pfsense box, and under System->User Manager ->Servers, add a server, give it a name, set type to RADIUS, put int he IP address of the server you just installed the MFA on, enter the shared secret and the ports you entered on the server, enter an authentication timeout of about 60 seconds, and save it.
You can test auth by going to Diagnostics->Authentication, picking the radius server you just created, putting in a valid AD username that you imported into the MFA server, putting in their password, and clicking test. The user should then get a phone call telling them to hit # to authenticate, as soon as they do you should see the auth succeed at the pfsense.
Once you have tested that, you can use the OpenVPN wizard to create a VPN instance that uses the RADIUS server to auth users, and two factor should work for those users.