• So, I have pfSense/OpenVPN installed and LDAP authentication to only allow a group of users to access the VPN with their AD credentials.  Everything is working great for my first step.  My next step though I'm having a little trouble tackling and that's multi-factor.  I know we're shooting for something along the lines of Google Authenticator or a similar application time based token that changes every so often.  Something either extremely cheap/free would be preferred for the little amount of VPN use we actually have.

    Essentially I want the user to have to type in their domain credentials and then also have to type in this rotating one time password.  Are there any guides out there on how to accomplish this and tie it into this currently working system?

  • LAYER 8 Global Moderator

    Other than making it a pain in the ass for the user what is the actual point of this?

    So the user has to have the cert, or atleast that is how you should have vpn setup.  So they need their cert and the creds to auth with, so their you go mfa already.  Something they have (the cert) and something they know, their AD creds.

    Why the time based token?  Other than making it a PITA for the users to actually use the vpn? ;)

  • Currently they only VPN in with their AD credentials.  I want them to have to enter their AD credentials and a token code.  Requiring a token code from a separate device is much more secure than a certificate alone especially if a user has their workstation/password compromised.  It also takes away from having to manage individual user/machine certificates.  The last 3 places I've worked required RSA hardware tokens, but the team here wants to try out an application based token such as Google Auth/Duo/Authy.  I'm well aware the ease of using a certificate/credential alone, but that's not the direction we chose to go.  Thank you for your input though :)