[KB5895] How to use Android VPN client to connect to an RRAS VPN server secured by Two-Factor Authentication (2FA) of ESET Secure Authentication (ESA)?

Solution

RRAS using PAP (Password Authentication Protocol)

In case your RRAS VPN server is set to use PAP protocol, during configuration of Android VPN client at Settings > Connections > More connection settings > VPN > tap Add VPN, and deselect the check box next to PPP encryption (MPPE) because PAP protocol does not support that encryption.

Figure 1-1
 

RRAS using MS-CHAPv2

In case your RRAS VPN server is set to use MS-CHAPv2 protocol, there is no need to deselect PPP encryption (MPPE) when configuring your Android VPN client.  

But there is an essential change to be accomplished directly in the server (main computer) where ESET Secure Authentication (ESA) along with its RADIUS component is installed.

  1. Open a windows command prompt - press the Windows key + R key combination, type cmd and press Enter.
     
  2. Navigate to the installation directory of ESA, that is  C:\Program Files\ESET Secure Authentication\ or C:\Program Files (x86)\ESET Secure Authentication\ in case you installed 32-bit version of ESA on a 64-bit operating system. The command to navigate to the installation directory is:

    cd "C:\Program Files\ESET Secure Authentication\"
     
  3. Create an empty configuration file called EIP.Radius.WindowsService.exe.config by executing the following command:

    copy /b NUL EIP.Radius.WindowsService.exe.config 
     
  4. Exit the command prompt and look up the created EIP.Radius.WindowsService.exe.config file, right-click it, select Open with and click Notepad.
     
  5. Once Notepad opens, copy and paste the following content there:
<?xml version="1.0"?>
<‎configuration>
<appSettings>
<add key="RadiusSendReplyMessage" value="false" />
</appSettings>
<‎/configuration>

  1. Save the changes by pressing CTRL + S shortcut or by clicking the File menu item of Notepad and then clicking Save. Exit the editor.

  2. Press the Windows key + R key combination, type services.msc and press Enter.

  3. Look up ESET Secure Authentication RADIUS Services service, right-click it and select Restart.

Android 5 and earlier versions

If the connection of configured Android VPN client to your RRAS VPN server using MS-CHAPv2 protocol was unsuccessful, try to deselect PPP encryption (MPPE). To edit an already configured VPN connection, just hold your finger for 2 seconds on the particular VPN connection and in the pop-up window tap Edit Network.
If the connection works after deselecting PPP encryption (MPPE), but you want the users of earlier versions of Android to be able to use that encryption when connecting to your RRAS VPN server that uses MS-CHAPv2 protocol, then one more thing has to be done. In step no. 5 above you have to add the following code:

 <‎add key="RadiusSendRequiredInEncryptionPolicy" value="true" />

right under the following line:

<‎add key="RadiusSendReplyMessage" value="false" />