Hello everyone.
I need help with integrating PrivacyIDEA (3.12.1), FreeRADIUS, and a VPN solution (UniVPN, or OpenVPN for testing purposes).
I have two servers located in the same network. One server runs PrivacyIDEA (3.12.1), and the second one runs FreeRADIUS. Both servers are behind a MikroTik router and can communicate with each other without issues.
PrivacyIDEA itself is working perfectly: the web interface is accessible, policies are configured, tokens are enrolled, and the official PrivacyIDEA mobile app is used. LDAP is connected to PrivacyIDEA, and all users from my LDAP domain are correctly visible in the web interface. Test Push authentication in poll only mode works reliably.
My main goal is to implement 2FA for VPN access. The desired authentication flow is the following: when a user connects to the VPN, the authentication request should go to FreeRADIUS, then be forwarded to PrivacyIDEA, which should trigger a Push notification in the PrivacyIDEA mobile app for user approval. However, in practice this does not work — when connecting via VPN, no Push notification is received, and it is unclear at which point the authentication flow breaks.
I have tried integrating both UniVPN and OpenVPN (to simplify testing), but I could not achieve a working setup. I am also unsure whether my current architecture is correct, given that PrivacyIDEA and FreeRADIUS are installed on separate servers, and I am not fully certain how the VPN should interact with FreeRADIUS (directly or via the MikroTik router).
Another issue concerns the username format. During authentication, FreeRADIUS uses the domain @locate, whereas I need it to use my LDAP domain, which is already configured in PrivacyIDEA and works correctly there. I suspect that this domain mismatch may cause PrivacyIDEA to process the authentication request incorrectly, but I am not sure where this should be properly configured (realm handling, User-Name rewriting, etc.).
I would also appreciate clarification on which parameters are critical for Push-based authentication via VPN: whether challenge-response is required, which authentication method (e.g. PAP) should be used, and how to verify that the RADIUS request from the VPN actually reaches PrivacyIDEA.
I would be grateful for any guidance regarding the correct architecture, troubleshooting steps, and examples of a minimal working setup for PrivacyIDEA + FreeRADIUS + VPN with Push-based 2FA.
