MFA Prompt?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
jmunoz
OpenVpn Newbie
Posts: 15
Joined: Mon Jun 12, 2017 7:15 pm

MFA Prompt?

Post by jmunoz » Sun Dec 15, 2019 3:09 pm

I'm using OpenVPN AS with my RADIUS server that's configured to use Azure MFA.
When we attempt to login to the AS server with a RADIUS credential, azure MFA sends the challenge to the MFA device and the user is able to login once they acknowledge the challenge.
The issue we are experiencing though is that OpenVPN AS doesn't present any prompt "waiting for MFA" and if users do not know to look at their device for the challenge, they may think OpenVPN is "stuck" because nothing appears to happen until the challenge is accepted or timed out. This only occurs on users how have the MS Authenticator app where they need to accept the connection on their app before the connection proceeds. Users who have SMS or OTP receive a "challenge" prompt.

How do we let our end users know to look for their MFA challenge?

MateoSJ
OpenVpn Newbie
Posts: 2
Joined: Wed Feb 15, 2023 10:51 pm

Re: MFA Prompt?

Post by MateoSJ » Wed Feb 15, 2023 11:21 pm

Any resolution? It only works if the authentication is an approval and not a code to respond with as there is no prompt to enter code. Where does the code go?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: MFA Prompt?

Post by openvpn_inc » Thu Feb 16, 2023 1:31 pm

Hello jmunoz and MateosJ,

I would recommend that you switch to using SAML.

The problem with RADIUS authentication is that if the MFA prompt is not handled in the RADIUS protocol but instead outside of it, by triggering an external device to ask for approval, then the RADIUS authentication will basically just pause until the approval has been given. The Access Server is not made aware of why the RADIUS server is pausing. So eventually it just must conclude that the RADIUS server is not responding and times out.

If however you use SAML, then such messages can be displayed on the login page itself by the SAML IdP (Azure in this case) so users are aware that they must take some action.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply