Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is there a way to make PFSense authenticate with smart cards for Webadmin?

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sycraft
      last edited by

      So for some background: We are building an environment for systems doing research that has to comply to NIST 800-171 controls and one of the things that specifics is two factor authentication for administrative tasks. To that end we have implemented a smart card system using Yubikeys based on the NIST PIV system the government uses for CACs. Works great, local login, RDP, SSH, etc all authenticate to active directory using X.509 certificates, the the private certificate is stored on the Yubikey protected by a PIN.

      The whole thing is protected by PFSense firewalls so I'd like to have them authenticate in the same way, if possible. Is this something that can be done? If not, can they talk to one of the Yubikey's other methods (U2F, OpenPGP, OATH)?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It's not currently possible to use cert/smartcard auth. We are keeping a close eye on this space though.

        You can set the GUI auth to use a RADIUS or LDAP server and then the OTP or similar mechanism is up to the auth server.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • N
          n3by
          last edited by

          You can use SSH ( key+pass ) and create tunnel to remote local-host web admin interface port, next step is to disable access to web admin from any other interfaces and SSH will be your only way to access the web admin interface.
          If you can setup another admin workstation ( sw&hw) that ca use the smart cards to keep the private key maybe this can be what you look for.

          1 Reply Last reply Reply Quote 0
          • S
            Sycraft
            last edited by

            Doing OTP via LDAP/RADIUS isn't really that feasible for what we are looking at. I mean it isn't impossible, but not really something I'd like to pursue.

            I would encourage you to consider adding this, if feasible, as it is a nice security feature. A full implementation that integrates with AD and does enterprise certificate authentication would be cool, but that aside just something simple like SSH keys could work well. Just have the ability to add a public certificate for a user and then do a CAPI auth for that. Requires manually updating certificates and so on but gives people the ability to do 2-factor without needing an enterprise PKI setup. Just a Yubikey (or anything like it) and you are good.

            The SSH idea is one I may try. It will work fine, Putty-CAC works great with Yubikeys and will give you an SSH key that works properly and requests the right CAPI certificate. So it would work in that card+pin would be needed to access the system. I'll think about that and how much that gets us over just having Webadmin access restricted to a particular set of systems, which require card+pin anyhow.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.