On 29.06.21 16:11, Mike Hill wrote: > Hi, > > We use JumpCloud as our directory (as-a-service), which also gives us a > RADIUS server to authenticate against. We have this working fine (without the > MFA) for user authentication against JumpCloud’s RADIUS using the built-in > macOS VPN client (IKEv2), but having trouble when enabling MFA on JumpCloud’s > side. > > Their documentation states that MSCHAPv2 is not supported for MFA-enabled VPN > connections, and they recommend EAP-TTLS/PAP. When connecting, it should be a > case of entering username and password with TOTP separated by a comma e.g. > MyB@dPa33word,1203456. > > When attempting to connect, /var/log/syslog shows: > > Jun 25 17:23:29 talon-swan charon: 07[ENC] parsed IKE_AUTH request 2 [ > EAP/RES/ID ] > Jun 25 17:23:29 vpn-swan charon: 07[IKE] received EAP identity 'test.user' > Jun 25 17:23:29 vpn-swan charon: 07[CFG] RADIUS server > 'eu1.radius.jumpcloud.com' is candidate: 210 > Jun 25 17:23:29 talon-swan charon: 07[CFG] sending RADIUS Access-Request to > server 'eu1.radius.jumpcloud.com' > Jun 25 17:23:29 vpn-swan charon: 07[CFG] received RADIUS Access-Challenge > from server 'eu1.radius.jumpcloud.com' > Jun 25 17:23:29 vpn-swan charon: 07[IKE] initiating EAP_MD5 method (id 0x01) > Jun 25 17:23:29 vpn-swan charon: 07[ENC] generating IKE_AUTH response 2 [ > EAP/REQ/MD5 ] > Jun 25 17:23:29 vpn-swan charon: 07[NET] sending packet: from > 10.118.128.63[4500] to 86.2.169.107[4500] (83 bytes) > Jun 25 17:23:29 vpn-swan charon: 08[NET] received packet: from > 86.2.169.107[4500] to 10.118.128.63[4500] (72 bytes) > Jun 25 17:23:29 vpn-swan charon: 08[ENC] parsed IKE_AUTH request 3 [ > EAP/RES/NAK ] > Jun 25 17:23:29 vpn-swan charon: 08[CFG] sending RADIUS Access-Request to > server 'eu1.radius.jumpcloud.com' > Jun 25 17:23:29 vpn-swan charon: 08[CFG] received RADIUS Access-Challenge > from server 'eu1.radius.jumpcloud.com' > Jun 25 17:23:29 vpn-swan charon: 08[ENC] generating IKE_AUTH response 3 [ > EAP/REQ/MSCHAPV2 ] > Jun 25 17:23:29 vpn-swan charon: 08[NET] sending packet: from > 10.118.128.63[4500] to 86.2.169.107[4500] (104 bytes) > Jun 25 17:23:29 vpn-swan charon: 10[NET] received packet: from > 86.2.169.107[4500] to 10.118.128.63[4500] (136 bytes) > Jun 25 17:23:29 vpn-swan charon: 10[ENC] parsed IKE_AUTH request 4 [ > EAP/RES/MSCHAPV2 ] > Jun 25 17:23:29 vpn-swan charon: 10[CFG] sending RADIUS Access-Request to > server 'eu1.radius.jumpcloud.com' > Jun 25 17:23:30 vpn-swan charon: 09[MGR] ignoring request with ID 4, already > processing > Jun 25 17:23:30 vpn-swan charon: 10[CFG] received RADIUS Access-Reject from > server 'eu1.radius.jumpcloud.com' > Jun 25 17:23:30 vpn-swan charon: 10[IKE] RADIUS authentication of 'test.user' > failed > Jun 25 17:23:30 vpn-swan charon: 10[IKE] EAP method EAP_MSCHAPV2 failed for > peer 192.168.1.235 > Jun 25 17:23:30 vpn-swan charon: 10[ENC] generating IKE_AUTH response 4 [ > EAP/FAIL ] > > On JumpCloud’s side, we have the error: > > mfa: multifactor authentication required; not supported for PEAP/MS-CHAP > > We have rightauth set to eap-radius, but I’m yet to find a way of changing > the EAP method. Does anyone have strongSwan + MFA working for macOS clients > or can anyone point me in the right direction, please? > > References: > > https://support.jumpcloud.com/support/s/article/Logging-in-to-RADIUS-with-TOTP-MFA > > https://support.jumpcloud.com/support/s/article/configuring-a-wireless-access-point-wap-vpn-or-router-for-jumpclouds-radius1-2019-08-21-10-36-47 > > Many thanks, > > Mike
hi, if you want to set up your own RADIUS server, I'd recommend FreeRADIUS. Setup otp see: https://wiki.freeradius.org/guide/multiOTP-HOWTO Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein