OpenVPN tries to use PAP authentication

[stuhad]

When trying to integrate OpenVPN with RADIUS authentication we see the connection is using unencrypted PAP as the authentication method. Please update documentation with steps to enable encrypted OpenVPN and RADIUS authentication.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 6298aba8-c953-c7c1-3630-421639631b70
• Version Independent ID: b552f7ae-0c8f-2bfc-a47e-131807b7e613
• Content: Integrate NPS with VPN Gateway RADIUS authentication for MFA
• Content Source: articles/vpn-gateway/vpn-gateway-radius-mfa-nsp.md
• Service: vpn-gateway
• GitHub Login: @AhmadNYasin
• Microsoft Alias: genli

[TravisCragg-MSFT]

@stuhad This is something simple that you set on the OpenVPN Client.

Thanks for the feedback! I have assigned the issue to the content author to evaluate and update as appropriate.

[stuhad]

@TravisCragg-MSFT I'm downloading the ovpn config from the Azure Virtual Network Gateway P2S portal, if there is a way to alter the config please document it

[cocallaw]

@stuhad For the network policy on the RADIUS server for the Azure VPN, do you have PAP selected as an option under Authentication Methods of the Constraints Tab in the Properties?

Also what conditions do you have specified for the Policy on the RADIUS server ?

[stuhad]

@cocallaw I'm not really sure why you are asking me this as we absolutely do not want to use PAP, but yes if we set PAP as an Authentication Method then we see successful connections from the Azure Virtual Network Gateway (VNG) OpenVPN Peer to Site (P2S) VPN.

If we set any other Authentication Method such as MS-CHAP-v2 then the NPS server rejects the authentication attempt because the Azure VNG OpenVPN P2S VPN only seems to try connecting with an Unencrypted authentication mechanism.

[stuhad]

@cocallaw did you need any further information?

[cocallaw]

I spoke with the engineering team, and they confirmed that with a P2S VPN configured with RADIUS and OpenVPN, currently PAP is only authentication method supported between the GW and RADIUS server.

[genlin]

@cocallaw Thanks for sharing the update with us.

@stuhad If you still have problem with integrating OpenVPN with RADIUS authentication, please contact our support. Thanks

I will process to close this issue.

please-close

[StephanBis]

@cocallaw We are in the exact same situation at the moment, using RADIUS and OpenVPN. How is it acceptable to only support PAP? Is there any other way to use MSCHAPv2?