FreeRADIUS OVPN GAUTH
-
This is a question or perhaps it's a feature request. I have pfSense/FreeRADIUS/Google Authenticator/OVPN working very well. I have several different pfSense firewalls configured this way, and they all appear as "FreeRADIUS" in the google authenticator app. This is inconvenient and confusing. I'd like the QR generator to present a more useful name.
According to this website https://www.edwardthomson.com/blog/changing_titles_in_google_authenticator.html the QR code is generated from a otpauth URL: otpauth://totp/account_name?secret=secret_key&issuer=Website_Title
That Issuer is seemingly hardcoded in pfSense to be "FreeRADIUS"
There is no way to change thise in the GUI. I've looked through the CA, certificates, radius configuration files and all the OVPN settings, but I can't figure out how that name is specified. Perhaps in the PHP code?
If there is a file that can be edited, I'm willing to do that, but perhaps this is a detail that can be specified in the FreeRADIUS advanced fields or exposed as a field in future versions of pfSense.
Thanks.
-
@sublunar said in FreeRADIUS OVPN GAUTH:
That Issuer is seemingly hardcoded in pfSense to be "FreeRADIUS"
That's vital info, and all you need to answer your question.
If you need to know where x is defined, just look for it ^^Looking for some characters, or even some random string is world's most oldest "computer question".
The answer was : grep'something' tells me you should start looking in /usr
So :cd /usr grep -R "FreeRADIUS" *This will show several hundreds of results.
This one is interesting :
local/pkg/freeradius.xml: var provider = encodeURIComponent("FreeRADIUS");Looking at the file /usr/local/pkg/freeradius.xml - search for 'provider' and you fall right into OAUTH code.
Up to you to experiment now ;)
-
@Gertjan Thank you. /usr/local/pkg/freeradius.xml is indeed the file that contains the string. I've changed the variable and now I get a meaningful title when the app reads the QR code. The change doesn't require recreating the user or restarting.
-
Great !
Keep in mind that when the FreeRadius package upgrades, you have to re edit this file.
-
I have changed the XML script a bit.
Maybe the one who is responsable for the package can add this in the new version?
Changes are made in freeradius.xml (located in /usr/local/pkg)
add :<field> <fielddescr>Authenticator Name</fielddescr> <fieldname>varcompanyname</fieldname> <description> <![CDATA[ You can fill in a name to be shown in Googles Authenticator.<br/> <span class="text-info">(Default: FreeRadius). </span> ]]> </description> <type>input</type> <default_value>FreeRadius</default_value> </field>right under the time field (right under </field>
and then change:
var provider = encodeURIComponent("FreeRADIUS");in
var provider = encodeURIComponent($('#varcompanyname').val()); -
While looking for a solution to this, I saw that it is now possible to set the OTP Label by adding a Description in the Users Edit page:
I'm using pfSense 2.4.5-RELEASE-p1 and freeradius3 0.15.7_20
Requested in Issue:
https://redmine.pfsense.org/issues/8878Corresponding Pull Request:
https://github.com/pfsense/FreeBSD-ports/pull/779
