Hello.
I need advice or recommendation on the possibility of implementing the following scheme:
The user connects to the VPN and uses SMS as the second factor.
I set up PI, freeradius and openvpn server.
When connecting to a vpn, a request through a radius is sent to the PI, PI sends SMS, but the following error occurs on the vpn:
Tue May 2 17:41:59 2023 RADIUS-PLUGIN: FOREGROUND THREAD: New user.
Tue May 2 17:42:03 2023 RADIUS-PLUGIN: Get ACCESS_REJECT or ACCESS_CHALLENGE-Packet.->ACCESS-DENIED.
Tue May 2 17:42:03 2023 Error: RADIUS-PLUGIN: BACKGROUND AUTH: Auth failed!.
Tue May 2 17:42:03 2023 RADIUS-PLUGIN: FOREGROUND THREAD: Error receiving auth confirmation from background process.
2023-05-02 17:42:03 10.244.60.216:54332 PLUGIN_CALL: POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2023-05-02 17:42:03 10.244.60.216:54332 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/radiusplugin.so
2023-05-02 17:42:03 10.244.60.216:54332 TLS Auth Error: Auth Username/Password verification failed for peer
As I understand it, the issue here is in the plugin between freeradius and openvpn which does not know how to handle ACCESS_CHALLENGE
This plugin has not been updated for a long time and is not planned, so I cannot ask there.
Hence the question - did someone implement the VPN + 2FA sms scheme?
It may not be openvpn or no radius. I would like to give the user the opportunity to connect to the VPN as simply as possible.
That is, he logs in under the login-password from AD, receives SMS and enters the code in some opened window in the client.
As I understand it, the openvpn client can open an additional window for entering an SMS code, which is why I chose this scheme from the very beginning.
Is it possible?
Maybe someone implemented this and can share the experience?
