Project

General

Profile

Actions
Copy link

Feature #16558

open

Add support of static-challenge OpenVPN option in Radius for 2FA

Added by Lev Prokofev 7 months ago. Updated about 1 month ago.

Status:
Confirmed
Priority:
Low
Assignee:
-
Category:
OpenVPN Client Export
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Currently, Radius+OTP requires the user to add the PIN+OTP in the password field every time the user connects. With the static-challenge option(https://openvpn.net/as-docs/tutorials/tutorial--challenge-response-authentication.html#step-3--set-up-a-static-challenge-response), the client can save PIN as the password and add OTP in a separate window. However, the Radius expects to see the password as password=PIN+OTP, to workaround it, the following can be added to the Radius config (this likely should be the GUI option):

if (&request:State) {
    update request {
        User-Password := "%{User-Password}%{reply:Reply-Message}" 
    }
}
Actions
Copy link
 #1

Updated by Kris Phillips 6 months ago

  • Status changed from New to Confirmed

This would be significantly helpful for 2FA configurations with OpenVPN.

Wouldn't this option be for the OpenVPN Export package and not freeRADIUS, however?

Actions
Copy link
 #2

Updated by Kris Phillips about 1 month ago

  • Category changed from FreeRADIUS to OpenVPN Client Export

Related: https://redmine.pfsense.org/issues/13293

Updating to correct Category.

Actions
Copy link

Also available in: Atom PDF