OpenVPN Support Forum

I'm using OpenVPN AS with my RADIUS server that's configured to use Azure MFA.
When we attempt to login to the AS server with a RADIUS credential, azure MFA sends the challenge to the MFA device and the user is able to login once they acknowledge the challenge.
The issue we are experiencing though is that OpenVPN AS doesn't present any prompt "waiting for MFA" and if users do not know to look at their device for the challenge, they may think OpenVPN is "stuck" because nothing appears to happen until the challenge is accepted or timed out. This only occurs on users how have the MS Authenticator app where they need to accept the connection on their app before the connection proceeds. Users who have SMS or OTP receive a "challenge" prompt.

How do we let our end users know to look for their MFA challenge?

Any resolution? It only works if the authentication is an approval and not a code to respond with as there is no prompt to enter code. Where does the code go?

Hello jmunoz and MateosJ,

I would recommend that you switch to using SAML.

The problem with RADIUS authentication is that if the MFA prompt is not handled in the RADIUS protocol but instead outside of it, by triggering an external device to ask for approval, then the RADIUS authentication will basically just pause until the approval has been given. The Access Server is not made aware of why the RADIUS server is pausing. So eventually it just must conclude that the RADIUS server is not responding and times out.

If however you use SAML, then such messages can be displayed on the login page itself by the SAML IdP (Azure in this case) so users are aware that they must take some action.

Kind regards,
Johan