[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: [EXT] Re: IKEv2 VPN clients and 2FA
From: Brian Julin <BJulin () clarku ! edu>
Date: 2022-11-14 14:43:11
Message-ID: BL0PR03MB3988F72DF3951DA473358E18B4059 () BL0PR03MB3988 ! namprd03 ! prod ! outlook ! com
[Download RAW message or body]
One possible path to consider is NOT doing 2FA during the RADIUS authentication, but \
afterwards.
Instead, launch the 2FA query during RADIUS authentication, and bring up the IPSec \
tunnel but filter all packets with iptables. Then when the 2FA is approved, alter \
the iptables rules to allow access.
The use of accounting packets between strongswan and FreeRADIUS, and ipsets, make \
this a fairly simple matter of scripting. However, it will be more difficult, if not \
impossible, if your 2FA provider does not have a robust way to do authentications \
over a simple interface like REST, rather than the rather insane common practice of \
inserting the 2FA provider in your RADIUS proxy chain. Duo for example actually has \
such an interface, made for simple non-OAUTH applications, which allows you check on \
the status of an in-flight 2FA request as well as tune timeouts and messaged to the \
authenticator app. Microsoft, not at all, they discontinued support for anything \
like that.
Throwing 2FA with its own set of timeouts and protocol failure points into the fray \
of establishing an IPSec-RA connection is IMO just asking for a claptrap of \
hard-to-diagnose problems. ________________________________________
From: Freeradius-Users \
<freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org> on behalf of Markus \
Winkler <ml@irmawi.de>
Sent: Sunday, November 13, 2022 1:43 PM
To: freeradius-users@lists.freeradius.org
Subject: [EXT] Re: IKEv2 VPN clients and 2FA
Hi Alan,
On 13.11.22 19:16, Alan DeKok wrote:
> Even if it did, you're using winbind && AD. FreeRADIUS is just passing the \
> MS-CHAPv2 blobs to AD, which is returning pass / fail. There's no way to add an \
> extra 2FA step into that process.
that's a pity, but I was already afraid that I will not work. I must admit
that after reading so much and about all kinds of combinations that in the
end I was quite confused. And therefore my question here. So now I know for
sure I have to look for another solution.
Thank you very much for your quick answer and clarification. :)
Best regards,
Markus
-
List info/subscribe/unsubscribe? See \
https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2F \
list%2Fusers.html&data=05%7C01%7Cbjulin%40clarku.edu%7Cf3316ef55c7c4795b85d08dac5a \
6fabf%7Cb5b2263d68aa453eb972aa1421410f80%7C0%7C0%7C638039618218417975%7CUnknown%7CTWFp \
bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=omCj3ywGY6rIHnGaJTN%2FmFsTehgq62vWK4KRhLIo9jQ%3D&reserved=0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic