Captive portal for OpenVPN clients to implement a MFA

elbuit

Hi.
I'm using pfsense 2.5.2 as a openvpn roadwarrior and I want to add a MFA.
I managed to use a OTP google authenticator as a second autthentication factor but I want to add other sources (SMS, telegram, alternative email, ...).
As OpenVPN doesn't allow a second auth I want to implement this in the captive portal.
The user will authenticate with user password on openvpn and to get network access the user will need to introduce the OTP, token, ... on the captive portal.

So I tried to configure the captive portal on the OpenVPN interface but it doesn't work.
When I try to connect I get a error message and the captive portal log shows:

logportalauth 	357 	Zone: vpn_captive_portal - ERROR: unauthenticated, noclientmac, 192.168.0.2

I also tried to put openvpn connected to a bridge but always got the same error.

Is there anyway to make the captive portal working for the openvpn clients?

Thanks.

Gertjan

@elbuit said in Captive portal for OpenVPN clients to implement a MFA:

noclientmac

Although it is possible to have the captive portal to work without MAC :

you some what 'break' the portal, as only IP addresses are now used to grant access.

Btw : OpenVPN clients AND captive portals users : that's an unknown combination.
Captive portals are for local unknown users.
OpenVPN clients users are not unknown .... (you already have them an access).

elbuit

Thanks @Gertjan, I'm going to test it.
The main idea is to add a second authentication factor to OpenVPN.
OpenVPN client is not designed to ask a second challenge to authenticate.
To add a second auth factor in OpenVPN is quite common to enter a password+OTP token such Google auth.
But imagine that you want to add a 2FA based on SMS.
Google auth token can be known at the moment of enter the username and password, but that doesn't happen with SMS.
You should authenticate with user + password and then you will get a SMS, so you got SMS only when you were authenticated with OpenVPN client.
To check if that SMS (email, phone call, ...) is valid you can't use openvpn client but captive portal could be a good option, such as a voucheur o external payment method.

OpenVPN can't change their IPs, so IP validation is enough, we don't need to know the MAC address.

That is what I would like to do, if it is possible.

This could be also a valid solution to add a MFA to ipsec/l2tp, ... not only to OpenVPN.
This can be use to add a 2FA to client not designed to ask a second challenge.

Thx.

@Gertjan said in Captive portal for OpenVPN clients to implement a MFA:

@elbuit said in Captive portal for OpenVPN clients to implement a MFA:

noclientmac

Although it is possible to have the captive portal to work without MAC :

you some what 'break' the portal, as only IP addresses are now used to grant access.

Btw : OpenVPN clients AND captive portals users : that's an unknown combination.
Captive portals are for local unknown users.
OpenVPN clients users are not unknown .... (you already have them an access).

Gertjan

@elbuit

Isn't this a chicken and egg problem ?

If you want to connect to the captive portal, your VPN client has to connect first.
For the VPN client to be able to connect, you have to connect to the captive portal first.

OpenVPN : if you want several choices to identify, you could consider using Freeradius as an authentication service for the OpenVPN server.
Not the client btw. The OpenVPN client can only connect to a OpenVPN server.

See here : Authenticating OpenVPN Users with FreeRADIUS

LDAP can also be used.

elbuit

Not exactly, I mean you connect using OpenVPN, so you did the first authentication user+password against a freeradius.
That is what I'm doing now, an external freeradius authenticates "password+OTP" with a freeradius perl module.
OpenVPN clients can connect to vpn server and when they are connected a captive portal asks for the second authentication factor.
The main problem is that the openvpn client won't asks for a second auth, it only accepts user+password, so the workaround is use a "password+OTP" string on the password field.
That can be done beause you know Google Auth OTP before the auth process, but with a SMS, email, ... sent you won't know that second "password" unless you did the first auth.

BTW, I managed to connect to a captive portal disabling MAC filtering.

@Gertjan said in Captive portal for OpenVPN clients to implement a MFA:

@elbuit

Isn't this a chicken and egg problem ?

If you want to connect to the captive portal, your VPN client has to connect first.
For the VPN client to be able to connect, you have to connect to the captive portal first.

OpenVPN : if you want several choices to identify, you could consider using Freeradius as an authentication service for the OpenVPN server.
Not the client btw. The OpenVPN client can only connect to a OpenVPN server.

See here : Authenticating OpenVPN Users with FreeRADIUS

LDAP can also be used.