OpenVpn Second factor authentication



  • Hello All,

    Is there any way to implement kind of second factor authentication with Pfsense OpenVpn  like google does for example sends phone pin # or password after successful user/password process  that valid only for that session connection ?
    Please advise
    Thanks


  • Rebel Alliance Global Moderator

    You mean more than 2 factor.  Since if you auth the clients cert, and require a password you have 2 factor already.  Client has to have the cert (something they have) and they also need the password (something they know).

    Why are people obsessed with making their lives difficult..  Is this some corp policy your trying to meet, where the goal is to make the vpn so difficult to use that nobody actually uses it ;)

    But sure you can setup openvpn on pfsense with freerad and also use a OTP, there multiple ways to skin that cat.. Here is older thread that goes over some of them that others have deployed.

    https://forum.pfsense.org/index.php?topic=95210.0

    I would be curious to the actual use case, if just want to play and see if it can be done great.. My opinion on the matter are in that old thread as well ;)



  • Thanks ,
    i am totally agree with you , but apparently that is iso 27001 requirement , but i succeded to convinced the iso adviser with your argument about second factor authentication with certificate.

    Thanks again ,cheers


  • Rebel Alliance Global Moderator

    Yeah its funny how some of these auditors don't actually understand what they are auditing ;)  Ok MFA is a requirement, we are using MFA already.. How many factors you want ;)

    Should we have the uses submit a DNA sample everytime they auth? ROFL  They you would have 3, cert they have, password they know and their dna something they are..

    Glad you got it sorted.. Your users would of prob had a fit with many a help desk call having t add the OTP auth along with their password, etc.