OpenVPN + Captive Portal 2FA
-
Hi folks,
So I have a Yubikey which I use 2FA for websites as well as logging into SSH and my laptop, however I want to implement 2FA for OpenVPN and a second Layer to the Guest Network which runs on Captive Portal, I am trying to find a solution which allows me to do this, I from searching online some uses Radius and others use LDAP, I have configured NPS on Server 2022. Which would be better for this use case ?
Please let me know I am open to suggestions
Regards
-
@VioletDragon said in OpenVPN + Captive Portal 2FA:
however I want to implement 2FA for OpenVPN and a second Layer to the Guest Network which runs on Captive Portal
First, you have to imagine this situation :
Create a OpenVPN connection to ... to where ? some VPN outside, right ?
For this to happens, the firewall has to allow outgoing connections.
But you can't the portal is blocking everything.First : you have to login into the portal. This can be done using radius, and radius opens up all kind of possibilities.
Then, as is done a lot, you activate your VPN over the now open connection to the internet.
The other way around isn't possible : you can't have the VPN open and working and then login the portal.
@VioletDragon said in OpenVPN + Captive Portal 2FA:
I am trying to find a solution
What is the problem ?
-
@Gertjan Hi. I managed to implement 2fa with OpenVPN and my Yubikey which works great. Used FreeRadius, however NPS is limited to only OTP so I didn’t go with that option.
Captive Portal is used for Guest which is currently configured with a username and password to login. I wanted to implement 2fa with this which I haven’t managed yet.
Regards
-
This FreeRadius on pfSense software for Two Factor Authentication ?
if FreeRadius is used for authentication, identification and accounting, I guess the portal work with 2FA.
The portal uses radius, and radius uses 2FA. -
This FreeRadius on pfSense software for Two Factor Authentication ?
If FreeRadius is used for authentication, I guess the portal work with 2FA. The portal uses radius, and radius uses 2FA. -
@Gertjan FreeRADIUS is running on a VM on one of my Nodes, not using FreeRadius on pfSense.
Regards
-
Same thing. On pfSense, or elsewhere, that all good.
remember : processes communicate with 127.0.0.1 = local, to some locally running process, or for example to 192.168.1.10, some device on pfSense LAN, with the same process on that device.
