hi, all
I built an L2TP VPN on server2012. It is ok to use raidus authentication in NPS. When I want to use two-factor authentication with privacyIDEA, L2TP VPN is integrated into
When the integration with freeradius occurs, an error message appears. For detailed error information, see the attached log error. Before I tested openvpn is successful, please help me to see where the L2TP VPN is wrong?
You get a result-status false in the freeradius log.
"privacyIDEA Result status is false!"
This means, that privacyIDEA was not able to handle the request.
You should take a look in the privacyidea audit log or increase the log level to take a look at the privacyidea.log file.
The time of the privacyidea.log file does not match the error in the freeradius log!
hi,Cornelius
thank you for your help
I tested today that L2TP using pap authentication is successful, but using chap or chap-v2 will Result in the error āprivacyIDEA Result status is falseā
In addition, error āERR905: Missing parameter: āpassāā will be reported in the Audit of privacyIDEA. Is it true that freeradius does not support chap authentication?The attachment is my error information.
Could you please help me to find out the reason? thanks
Error message
The pap certification is OK. Please find the attached picture
OTP in this case only works with PAP.
It can not work with CHAP by design.
Thank you very much for your answer.
I also found your answer to this type of question in the Google search.Currently, Iām still a novice, and as far as I know of privacyidea, itās a very powerful authentication system that supports many platformsć
Hi, could you please help me on this, how to get this done.
Actually- i am using Softeather VPN and windows Radius Authentication.
Tried hard to get this done 2FA with Privacyidea + Softrther + Windows Radius but failing to achieve.
Now planing to try windows 2012 R2 VPN either SSTP or L2TP + windows Radius and PrivacyIdea.
Need your valuable input.
I am very new and have not much idea.
Thank
SoftEther supports RADIUS, why do you need Windows in the mix?
https://www.softether.org/4-docs/1-manual/2._SoftEther_VPN_Essential_Architecture/2.2_User_Authentication#2.2.3_RADIUS_Authentication
How to configure 2FA with softether VPN, as of now its getting authenticated via windows Radius sever.
But it seems this VPN server do not support 2FA.
Can anyone please help on this.
No idea, I donāt use SoftEtherā¦
And that means SoftEther does support RADIUS since NPS is a standard RADIUS server.
What does this mean: ādo not support 2FAā?
If it supports NPS (see above) it will support privacyIDEAā¦
Have you configured SoftEther to work with NPS?
Just point it to privacyIDEA instead and it should workā¦
Thank you so much, i am very new in this.
Could you please help me how to take care of freeradius part which is installed in PI server, i am authentication protocal and other basic configuration.
Please correct me if i am thinking wrong.
I am confused, do i need to configure target Radius server in Softether VPN to freeradius or Windows NPS with radius installed.
So sorry for too many question.
Thanks
Setup privacyIDEA with RADIUS and forget about Windows/NPSā¦
If your existing setup works with NPS, your RADIUS configuration page (on SoftEther) points to itā¦
Replace it!
If your NPS server is 10.10.10.10 and privacyIDEA server is 10.10.10.20 replace the first IP with the second on the SoftEther config page and you are doneā¦
EDIT:
Are you sure the existing setup is using RADIUS with Windows AD?
What flavour of SoftEther do you use - open source or commercial?
Based on this discussion the free SoftEther does not support RADIUS
Thank you so much Henry, i must appreciate your help on this.
Windows Radius with Softether is working perfectly fine.
I am using open source Softether, it seems this post is old and later they added Radius support.
I will try your suggestion. Any help or guid what are basic setup and configuration we have to do in Freedadius running on PrivacyIdea to support AD user authentication ? This is very new and i have no idea what else to be added and where
I am so sorry for all these query.
If you donāt mind, allow to open one to one exchange with you. I am ok to speak or write email to you.
Will you be able to share your email address please. This will be very healfull.
Thank you so much.
There isnāt much I can addā¦ I use Cisco ASA, not SoftEtherā¦
Follow the documentation to install PI with freeRADIUS, whitelist the VPN IP address, doneā¦
Search this forum,
The discussion is better to keep in this thread so people can contribute to / learn from itā¦
Hi Henry,
Thanks and i must not request anymore now as you have provider enough time and input but still allow me to take liberty to request for one more help.
I did installation from below link and able to login on PI web console using AD users.
What else i have to do in FreeRadius ?
I am thinking to get Softether authenticate directly from Freeradius and eliminate windows Radius.
Unfortunately i am missing what else i have to do in FreeRadius which is also installed in same server where PI is installed.
Do you have any clear article or steps which i can follow and do this setup and test.
Thanks
You have to whitelist - allow communication between the SoftEther server and freeRADIUS om PI - the SoftEther IP address in a file called clients.confā¦ Thatās all.
Start with searching this forum and reading RADIUS-related postsā¦
Thank you Henry,
It seems this will be difficult with softether VPN, what to done if i need to inter domain password along TOTP token in single field at password field in softether VPN client ?
Is there anything we can do please
Thanks
Once again - forget Windows, domains, Active Directory, etc. Itās not there anymore.
You query the privacyIDEA server for login credentialsā¦
Every user has a PIN (e.g. 1234 or abcde) and a OTP (e.g. TOTP, HOTP, Yubikey, etc.)
The password is a concatenated PIN and OTPā¦
You should read the documentationā¦
Thank you, trying to test Radius locally but its getting failed:
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/sites-enabled/privacyidea
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = āauthā
ipaddr = *
port = 0
Failed binding to auth address * port 1812: Address already in use
/etc/freeradius/3.0/sites-enabled/privacyidea[12]: Error binding to port for 0.0.0.0 port 1812