I want to setup VyOS to act as our Remote VPN access appliance.
I currently have ipsec + l2tp configured to allow remote client VPN connections. Local authentication on the VyOS works great.
However, I want to enable radius authentication and point it to a DUO Radius Server that authenticates with Active Directory + DUO 2FA on the back end.
I have it all setup but running into an issue. The log as shown on the DUO radius server is this:
Primary credentials rejected - No password
I reach out to DUO support and this is what the said:
The error “Primary credentials rejected - No password” error appears and Primary authentication will fail if the appliance has the Password Management feature enabled, as this causes the credentials to be sent in MS-CHAPv2. Our [Duo for Cisco Firepower] involves configuration of a Duo Authentication Proxy, which expects this data to be sent in PAP.
How can I configure VyOS to authenticate via Radius and:
- Not send credentials in MS-CHAPv2
- Send credentials in PAP