Server2012 L2TP VPN uses AD domain account + TOTP two-factor authentication

hi, all
I built an L2TP VPN on server2012. It is ok to use raidus authentication in NPS. When I want to use two-factor authentication with privacyIDEA, L2TP VPN is integrated into
When the integration with freeradius occurs, an error message appears. For detailed error information, see the attached log error. Before I tested openvpn is successful, please help me to see where the L2TP VPN is wrong?


You get a result-status false in the freeradius log.

"privacyIDEA Result status is false!"

This means, that privacyIDEA was not able to handle the request.

You should take a look in the privacyidea audit log or increase the log level to take a look at the privacyidea.log file.
The time of the privacyidea.log file does not match the error in the freeradius log!

thank you for your help
I tested today that L2TP using pap authentication is successful, but using chap or chap-v2 will Result in the error “privacyIDEA Result status is false”

In addition, error “ERR905: Missing parameter: ‘pass’” will be reported in the Audit of privacyIDEA. Is it true that freeradius does not support chap authentication?The attachment is my error information.

Could you please help me to find out the reason? thanks
Error message

The pap certification is OK. Please find the attached picture

OTP in this case only works with PAP.
It can not work with CHAP by design.

Thank you very much for your answer.
I also found your answer to this type of question in the Google search.Currently, I’m still a novice, and as far as I know of privacyidea, it’s a very powerful authentication system that supports many platforms。

1 Like

Hi, could you please help me on this, how to get this done.
Actually- i am using Softeather VPN and windows Radius Authentication.
Tried hard to get this done 2FA with Privacyidea + Softrther + Windows Radius but failing to achieve.
Now planing to try windows 2012 R2 VPN either SSTP or L2TP + windows Radius and PrivacyIdea.
Need your valuable input.
I am very new and have not much idea.


SoftEther supports RADIUS, why do you need Windows in the mix?

1 Like

How to configure 2FA with softether VPN, as of now its getting authenticated via windows Radius sever.
But it seems this VPN server do not support 2FA.
Can anyone please help on this.

No idea, I don’t use SoftEther…

And that means SoftEther does support RADIUS since NPS is a standard RADIUS server.

What does this mean: “do not support 2FA”?
If it supports NPS (see above) it will support privacyIDEA…

Have you configured SoftEther to work with NPS?
Just point it to privacyIDEA instead and it should work…

Thank you so much, i am very new in this.
Could you please help me how to take care of freeradius part which is installed in PI server, i am authentication protocal and other basic configuration.

Please correct me if i am thinking wrong.

  1. setup PrivacyIdea server
  2. setup Freeradius
  3. setup NPS in windows
  4. setup forward NPS traffic to Freeradius server

I am confused, do i need to configure target Radius server in Softether VPN to freeradius or Windows NPS with radius installed.

So sorry for too many question.


Setup privacyIDEA with RADIUS and forget about Windows/NPS…

If your existing setup works with NPS, your RADIUS configuration page (on SoftEther) points to it…
Replace it!

If your NPS server is and privacyIDEA server is replace the first IP with the second on the SoftEther config page and you are done…

Are you sure the existing setup is using RADIUS with Windows AD?
What flavour of SoftEther do you use - open source or commercial?
Based on this discussion the free SoftEther does not support RADIUS

Thank you so much Henry, i must appreciate your help on this.
Windows Radius with Softether is working perfectly fine.
I am using open source Softether, it seems this post is old and later they added Radius support.

I will try your suggestion. Any help or guid what are basic setup and configuration we have to do in Freedadius running on PrivacyIdea to support AD user authentication ? This is very new and i have no idea what else to be added and where

I am so sorry for all these query.

If you don’t mind, allow to open one to one exchange with you. I am ok to speak or write email to you.
Will you be able to share your email address please. This will be very healfull.

Thank you so much.

There isn’t much I can add… I use Cisco ASA, not SoftEther…
Follow the documentation to install PI with freeRADIUS, whitelist the VPN IP address, done…
Search this forum,

The discussion is better to keep in this thread so people can contribute to / learn from it…

Hi Henry,
Thanks and i must not request anymore now as you have provider enough time and input but still allow me to take liberty to request for one more help.
I did installation from below link and able to login on PI web console using AD users.

What else i have to do in FreeRadius ?

I am thinking to get Softether authenticate directly from Freeradius and eliminate windows Radius.

Unfortunately i am missing what else i have to do in FreeRadius which is also installed in same server where PI is installed.

Do you have any clear article or steps which i can follow and do this setup and test.


You have to whitelist - allow communication between the SoftEther server and freeRADIUS om PI - the SoftEther IP address in a file called clients.conf… That’s all.

Start with searching this forum and reading RADIUS-related posts…

Thank you Henry,

It seems this will be difficult with softether VPN, what to done if i need to inter domain password along TOTP token in single field at password field in softether VPN client ?
Is there anything we can do please


Once again - forget Windows, domains, Active Directory, etc. It’s not there anymore.
You query the privacyIDEA server for login credentials…

Every user has a PIN (e.g. 1234 or abcde) and a OTP (e.g. TOTP, HOTP, Yubikey, etc.)
The password is a concatenated PIN and OTP…

You should read the documentation…

Thank you, trying to test Radius locally but its getting failed:

radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/sites-enabled/privacyidea

Loading authenticate {…}

Loading authorize {…}

} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = “auth”
ipaddr = *
port = 0
Failed binding to auth address * port 1812: Address already in use
/etc/freeradius/3.0/sites-enabled/privacyidea[12]: Error binding to port for port 1812