Advice on the implementation of the VPN + 2Fa SMS scheme

I need advice or recommendation on the possibility of implementing the following scheme:
The user connects to the VPN and uses SMS as the second factor.

I set up PI, freeradius and openvpn server.
When connecting to a vpn, a request through a radius is sent to the PI, PI sends SMS, but the following error occurs on the vpn:

Tue May  2 17:41:59 2023 RADIUS-PLUGIN: FOREGROUND THREAD: New user.
Tue May  2 17:42:03 2023 Error: RADIUS-PLUGIN: BACKGROUND  AUTH: Auth failed!.

Tue May  2 17:42:03 2023 RADIUS-PLUGIN: FOREGROUND THREAD: Error receiving auth confirmation from background process.
2023-05-02 17:42:03 PLUGIN_CALL: POST /usr/lib/openvpn/ status=1
2023-05-02 17:42:03 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/
2023-05-02 17:42:03 TLS Auth Error: Auth Username/Password verification failed for peer

As I understand it, the issue here is in the plugin between freeradius and openvpn which does not know how to handle ACCESS_CHALLENGE
This plugin has not been updated for a long time and is not planned, so I cannot ask there.

Hence the question - did someone implement the VPN + 2FA sms scheme?
It may not be openvpn or no radius. I would like to give the user the opportunity to connect to the VPN as simply as possible.
That is, he logs in under the login-password from AD, receives SMS and enters the code in some opened window in the client.

As I understand it, the openvpn client can open an additional window for entering an SMS code, which is why I chose this scheme from the very beginning.

Is it possible?
Maybe someone implemented this and can share the experience?

Yes, this is basically possible.
You need your VPN configured against RADIUS.

The user needs to send his password in the first step via RADIUS.
The VPN needs to support RADIUS Challenge Respone. This can be challenging :wink:

But then it works out nicely.
Have e.g. seen it working perfectly with netscaler.

Thank you.
In the end, I did it! :partying_face: :partying_face: :partying_face: :partying_face:
I managed to assemble openvpn, radius, pi and sms into one and it works.
Thank you so much for your help and for this forum. If you search for a long time and concentrated on the forum - you can solve almost everything.
Thanks for the PI, it really works very well.
Now it remains for me to correctly separate the rights for the connected users, but the most important thing has already been done!

1 Like