Hi all,
Currently we are utilizing PFSense IPSec for remote access VPN to our internal network. This authenticates using Windows NPS (with AD group membership and a computer certificate) and works very well. I have been asked to add MFA to it now. I would like to not have to switch to OpenVPN and FreeRadius if possible (unless FreeRadius can authenticate against AD?). Is there a way to add MFA without completely re-imagining/rebuilding the current setup?
Thanks,
Roy Beck
I would take a look at Duo and their proxy server. I think it can sit between the VPN and proxy requests to the NPS server and then perform MFA if primary validation is passed. I’ve used it in the past to add MFA to LDAP services.
I’m using OpenVPN authenticating against a Samba Active Directory backend (via LDAP). I don’t have FreeRADIUS in the mix, but I use OpenVPN’s certificate plus user credentials model. So a user must have their own VPN client certificate plus their AD creds.
Take a read here. This might be what you need.