Current setup: UTM with users who VPN in using the native Windows 10 client via L2TP. Users are authenticated through UTM, RADIUS connection to Windows server. Need 2FA solution. Already tried: Duo - doesn't work. We have their proxy installed. It works fine for WebAdmin, but for L2TP it fails as the Duo proxy isn't able to handle the MS-CHAPv2 format. OTP function in UTM - doesn't work. We tried some Feitian tokens and it doesn't seem to work. We tried appending the nonce after the password, we tried password - comma - nonce. It doesn't work and the connection fails. We need to use L2TP with native Windows VPN client because roaming profiles and folder redirection is in use, and the users are synchronizing/authenticating with AD before Windows login occurs. Any suggestions appreciated.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP with 2FA using Windows (native) VPN client

Current setup: UTM with users who VPN in using the native Windows 10 client via L2TP. Users are authenticated through UTM, RADIUS connection to Windows server.

Need 2FA solution.

Already tried:

Duo - doesn't work. We have their proxy installed. It works fine for WebAdmin, but for L2TP it fails as the Duo proxy isn't able to handle the MS-CHAPv2 format.
OTP function in UTM - doesn't work. We tried some Feitian tokens and it doesn't seem to work. We tried appending the nonce after the password, we tried password - comma - nonce. It doesn't work and the connection fails.

We need to use L2TP with native Windows VPN client because roaming profiles and folder redirection is in use, and the users are synchronizing/authenticating with AD before Windows login occurs.

Any suggestions appreciated.

This thread was automatically locked due to age.

0 Jaydeep over 6 years ago

Hi LeeSentell

It is not possible to use 2FA with L2TP VPN. There's an old feature request for this here but I don't think it's going to be available.
Cancel
Vote Up 0 Vote Down

Cancel
0 LeeSentell over 6 years ago in reply to Jaydeep

Forgive me, I don’t understand then why the OTP screen has a checkbox marked “IPSec remote access”. Doesn’t this imply that it can be accomplished? If not, what’s the point of this checkbox?
Cancel
Vote Up 0 Vote Down

Cancel
0 Jaydeep over 6 years ago in reply to LeeSentell

That's a good question actually. Let me explain.

In UTM9, L2TP(over IPSec) and IPSec remote access are two different VPN services.

L2TP has its origins in PPTP. Since it does not provide security features such as Encryption or strong authentication, it is often combined with IPsec. The combination of these two protocols is known as L2TP over IPsec.

Now the IPsec Remote Access is simply a host-to-host IPSec connection in tunnel mode.
Cancel
Vote Up 0 Vote Down

Cancel