xchg eax, eax

pfSense IKEv2 VPN with Microsoft NPS, AD Auth and MFA
Networking | 2024-07-03 13:23:17

During COVID we all scrambled to provide VPN's for our end users in any fashion which we could, but now MFA-less VPNs are a glaring attack vector which is actively being exploited. It was never good enough to leave MFA-less VPN's around, but now it's essential to get MFA on them. Further to this, VPN technologies have moved on in the last few years with the introduction of native controls in Windows 11, the decline of L2TP, the uptake of IKEv2 and the introduction of Wireguard. This guide is to configure an IKEv2 VPN on pfSense and provide Active Directory authentication and Azure MFA for remote users.
 
I have spent an annoying amount of time configuring and chasing problems with the pfSense to NPS config. The below config is working well for me with pfSense 23.09.1-RELEASE and NPS on Windows Server 2022. I have tested remote connectivity with Apple iOS 17 and Windows 11 devices (different algorithm requirements). The below config only highlights the pertinent configs and glosses over generic or assumed knowledge.
 
Note: the below config is done with self-signed certificates with the CN of the Public IP of the pfSense WAN interface. This presents an issue getting the certificate to end-users systems to be trusted in the system root store, so this should be swapped out for a publicly-verifiable certificate.
 
pfSense Config
Authentication Server
  • Add an authentication server with a type of RADIUS.
  • Select the protocol as MS-CHAPv2.
  • Create a shared secret.
  • Make the Authentication Timeout as 60.
  • The RADIUS NAS IP Attribute doesn’t seem to have any impact for me, but for cleanliness of MS Event Logs I set this to WAN.
 
IPsec
Tunnel (Phase 1)
  • Key Exchange Version: IKEv2.
  • Authentication Method: EAP-RADIUS.
  • My Identifier: IP address (use the WAN Interface IP Address) or change this to the FQDN of your public cert.
  • Peer Identifier: any
  • My Certificate: use a newly created self-signed cert, or your public cert.
  • Encryption Algorithms:
    • AES256-GCM, 128bits, SHA256, 16
    • AES256-GCM, 128bits, SHA256, 2
    • AES, 256bits, SHA256, 14
    • AES, 256bits, SHA1, 14
  • MOBIKE: Enable
 
Tunnel (Phase 2)
  • Mode: Tunnel
    • Local Network: expose your routes etc here
  • Protocol: ESP
  • Encryption Algorithms:
    • AES, 256bits
    • AES128-GCM, 128bits
    • AES256-GCM, Auto
  • Hash Algorithms:
    • SHA256, SHA384, SHA512
  • PFS Key Group: 14
 
Mobile Clients
  • User Authentication: your RADIUS authentication server (NPS)
  • Virtual Address Pool: Provide a virtual address
  • RADIUS Advanced Parameters:
    • Retransmit Timeout: 60
    • Retransmit Tries: 1
  • Network List: Ticked
  • DNS Servers: Ticked
 
NPS Config
  • Add a RADIUS Client
    • The Address must be the internal interface of your pfSense
    • Set the shared secret to what you set on the pfSense RADIUS secret config
  • Add a new network policy
    • Enable the policy
    • Grant access
    • Ignore user account dial-in properties: Ticked
    • Conditions: setup for your liking, ie group membership
    • Constraints: add an EAP Type of Microsoft: Secured password (EAP-MSCHAP v2) and set the number of Authentication retries to 1. You can remove all other authentication methods.
  • Install the NPS extension for Microsoft Entra Multifactor Authentication.
    • You can follow all the defaults here, there is nothing specific to RADIUS/pfSense
  • In my environment I had to change the registry for the OTP settings. The Microsoft guide said that this is no longer needed, but I still had to do it.
  • New String: HKLM\Software\Microsoft\AzureMFA value = FALSE

 

There were a lot of weird errors and issues that I had to work through and some of these links helped: