Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Solved: Two factor authentication for admin login

    Scheduled Pinned Locked Moved General pfSense Questions
    33 Posts 9 Posters 32.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NogBadTheBadN
      NogBadTheBad
      last edited by

      I think you also need Service-Type = Administrative-User against the user.

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 0
      • emammadovE
        emammadov
        last edited by

        Where is Service-Type = Administrative-User?

        Elvin

        NogBadTheBadN 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Your admin account would already have that set.. But you need to set under users manager to use your radius server not the local database.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @emammadov
            last edited by

            @emammadov

            Additional RADIUS Attributes (REPLY-ITEM) right at the bottom of the user you created in FreeRadius under the Advanced Configuration section.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • emammadovE
              emammadov
              last edited by

              I have many users using openvpn. Then those users will not be able to connect through openvpn?

              Elvin

              NogBadTheBadN 1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad @emammadov
                last edited by NogBadTheBad

                @emammadov

                You want these many users to connect to the pfSense login page ?

                I use IPsec IKEv2 for a VPN solution so I add the following as an Additional RADIUS Attributes (CHECK-ITEM) NAS-Identifier == strongSwan, this basically only allows connection if the request has come from strongSwan and the VPN user ID.

                This basically disables users connected to my LAN using their FreeRADIUS accounts to log into the routers management page.

                If you ssh to your router and run a shell, then type in radsniff -x, then connect via OpenVPN, you'll see the NAS-Identifier output to the console.

                You'd need to create an account to log into the pfSense GUI and include Additional RADIUS Attributes (REPLY-ITEM) Service-Type = Administrative-User.

                I'd add the Additional RADIUS Attributes (CHECK-ITEM) NAS-Identifier == ?????? as a precaution to the OpenVPN users.

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  pfSense won't care about Service-Type. It needs group membership or a username match.

                  So you can have local users with the same usernames with appropriate permissions, or the much easier route, have groups on pfSense (like the default admins group) and then put something like this in the RADIUS user reply attribute:

                  Class := "admins"
                  

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 1
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Basically you want to be able to test that entry from Diagnostics > Authentication and when you login with the RADIUS credentials it should tell you that the user is a member of the admins group.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • NogBadTheBadN
                      NogBadTheBad
                      last edited by NogBadTheBad

                      LOL yup I was looking at the wrong user๐Ÿ˜ฅ

                      Service-Type = Administrative-User is for my Linksys switches.

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      1 Reply Last reply Reply Quote 0
                      • emammadovE
                        emammadov
                        last edited by emammadov

                        I have 2 admins in our pfsense and other users for vpn.I selected Radius in Authentication Server in User Manager. But I still login with the username created in local database, plus I can't login with the username created in Radius. I checked credentials in Diagnostics, it says The following input errors were detected: Authentication failed.

                        Elvin

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          If RADIUS login fails it falls back to local users, so your local admin user in pfSense will still work. That is a safety measure so that you don't get locked out by a broken RADIUS server.

                          You need to concentrate on fixing the RADIUS settings if the authentication is failing, something there still isn't quite right.

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          M 1 Reply Last reply Reply Quote 0
                          • emammadovE
                            emammadov
                            last edited by

                            Is there a tutorial for this? I have another question. if there is no internet, can I still login into pfsense web gio with two factor authentication?

                            Elvin

                            1 Reply Last reply Reply Quote 1
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              @emammadov said in Two factor authentication for admin login:

                              Is there a tutorial for this?

                              https://www.youtube.com/watch?v=n2Z3rr4W2xw
                              https://www.slideshare.net/NetgateUSA/radius-and-ldap-on-pfsense-24-pfsense-hangout-february-2018

                              I have another question. if there is no internet, can I still login into pfsense web gio with two factor authentication?

                              Google Authenticator does not actually contact Google for anything. It's a mathematically calculated OTP value based on your own key, date/time, etc. It isn't actually tied to any Google service/account/login/etc. It's basically a Google-branded equivalent to mOTP.

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 1
                              • emammadovE
                                emammadov
                                last edited by emammadov

                                Thanks. I tried and it worked. Along with the user created on Radius, I can also login with the user created on local database though I have chosen Radius in Authentication Server. You said it is a safety measure.
                                I have a question. I disabled webgui login for default local admin user "admin" and it works only on console. I wonder if Radius login fails, 1. can I add any user created on the local database to admins group on pfsense console and 2. enable webgui login for admin user?

                                Elvin

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  The local user fallback will work for any local user, it doesn't need to be admin. You can grant that user whatever privileges you want them to have. If adding them to the admins group is what you want, that will work.

                                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • emammadovE
                                    emammadov
                                    last edited by emammadov

                                    I mean, I have disabled local admin user, so it can't login via webgui, it works only on ssh and console. If Radous server suddenly fails, how can I enable local admin user on SSH so that I can login via webgui!?

                                    Elvin

                                    1 Reply Last reply Reply Quote 0
                                    • jimpJ
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by

                                      Yes, I know what you meant. What I'm saying is you can keep the actual "admin" account disabled and have some other local account you use instead that is always available for use.

                                      Forcing yourself to re-enable admin when RADIUS is down is not a proper or reliable process. You can do it by resetting the admin password from the console which should re-enable it, or try pfSsh.php playback changepassword admin from the shell.

                                      I wouldn't leave the firewall without some kind of active fallback authentication account though.

                                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • emammadovE
                                        emammadov
                                        last edited by

                                        Thank you very much.

                                        Elvin

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          M0L50N @jimp
                                          last edited by

                                          @jimp Hi jimp.
                                          I just implemented that setup, and if I let the local admin user enable to dont be locked out, the problem is that we can always login with that user without 2FA. My other admin user in freeradius with "Class := "admins"" work well, but the one local continue to works too!

                                          I'm a little bit afraid to delete the local one. You said if Radius failed it will user local data base ... but if I dont have admin user in local database?!?!

                                          Thanks!

                                          1 Reply Last reply Reply Quote 0
                                          • jimpJ
                                            jimp Rebel Alliance Developer Netgate
                                            last edited by

                                            It will always fall back to local database if RADIUS is down or rejects the login, for safety. If that's a concern, set the admin password to something suitably long/complex and store it somewhere secure in case of RADIUS failure, but don't give the password to anyone else.

                                            Or just forget the password and reset it from the console if you ever need to get in locally.

                                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            M 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.