Web Admin Two Factor Authentication
-
Hi,
I'm sure this must have been asked before but I can't find any related to two factor authentication that doesn't relate to OpenVPN.
Is there a way to add two factor authentication to the pfsense web gui?
Thanks
Dan -
In what scenario does that make any sense?
The web gui for starters should only be available via management network. Only trusted "management" computers should be on this network. Only admins should have access to these machines, and the logins for these machines and the access to this network. Why are you now going to make their jobs even more difficult by require yet another auth method?
Lets say something is broken and not working, ie like the internet.. Or dns on pfsense, etc.. How is the 2fa going to function to allow the admin in to fix it, etc.
The web gui of your firewall should not be open to the public or unsecured users.. If it is - your doing it wrong ;) Since it should only be allowed to be accessed at a network level by trusted people, and they have been given login info. Some other form of 2fa is just over the top don't you think.
-
Hi,
I'm sure this must have been asked before but I can't find any related to two factor authentication that doesn't relate to OpenVPN.
Is there a way to add two factor authentication to the pfsense web gui?
Thanks
DanHi Dan, I don't believe MFA functionality to the WebGUI is available out-of-the-box, but it's a cool idea for defense in depth. Maybe something TOTP-based that doesn't require any connectivity whatsoever (such as Google Authenticator, Authy, etc.).
-
Install FreeRADIUS package. Setup users and Google Authenticator. Setup an entry in the Auth Servers for FreeRADIUS on Localhost. Set GUI to use the local RADIUS server for GUI auth. Done.
-
In what scenario does that make any sense?
It makes sense in any scenario, IMO :)
It's a very outdated idea that just b'cuz you are behind a VPN or comning form a managment-network everything is secure. The interface as important and sensetive as pfSense GUI should always have the MFA enabled. VPN, [n]ACL etc. only protects from possible external threat but not that much for internal ones. In many cases you need to give people access to VPN and your managment-network but not all of them need to have acces to FW interface and a stolen/misplaced password can do the trick easily. Some organizations (like ours) don't allow any login (internal or external) without MFA at all. It's certainly a very good idea to have MFA enabled and the should be considered as an security enhancement. -
I can't believe that it is 2022 and I am still being directed to this threat by Netgate support. MFA should be the minimum level of security required for something as sensitive as the border firewall - once you get into the management interface, you essentially have the keys to the kingdom, and have subverted a major layer of defence. Ideally, the only way to get into the managed interface should be using a cryptographic challenge-response mechanism that requires a hardware key, and this should not require an external server - having to run an external server is asking for trouble as it is another potential point of failure and increases the attack surface.
The evident reluctance to implement industry best practice makes me somewhat concerned about Netgate's security posture!
-
"Two factor" made easy :
First : lock down the GUI to a dedicated LAN port - all other LAN port can't connect to GUI. This can be done with some easy firewall rules.
Then : when an access is needed, you have to conncet a wire to this LAN port, then you can connect to it.
You could even limit further the access, with the help of the DHCP server using the "Deny unknown clients" setting.I know, this isn't what "Two Factor Authentication " stands for, but a high level of security has been reached.
-
@gertjan I had thought of this workaround, but then I would be unable to monitor performance/throughput/etc remotely, and would have to be physically present at the server rack for everything!
Very disappointed with your reluctance to follow industry best practices... this is the sort of mindset that results in Cisco getting the nickname as the "hardcoded password vulnerability factory"!!!
-
@tomrrr said in Web Admin Two Factor Authentication:
then I would be unable to monitor performance/throughput/etc remotely
Have the data collected by some server, protect the link with firewall rules - and now observe from ..... Dono, pick your place.
Go here or here if you need something.
Btw : I'm just a pfSense user, like you.