Is there a way to make PFSense authenticate with smart cards for Webadmin?



  • So for some background: We are building an environment for systems doing research that has to comply to NIST 800-171 controls and one of the things that specifics is two factor authentication for administrative tasks. To that end we have implemented a smart card system using Yubikeys based on the NIST PIV system the government uses for CACs. Works great, local login, RDP, SSH, etc all authenticate to active directory using X.509 certificates, the the private certificate is stored on the Yubikey protected by a PIN.

    The whole thing is protected by PFSense firewalls so I'd like to have them authenticate in the same way, if possible. Is this something that can be done? If not, can they talk to one of the Yubikey's other methods (U2F, OpenPGP, OATH)?

    Thanks.


  • Rebel Alliance Developer Netgate

    It's not currently possible to use cert/smartcard auth. We are keeping a close eye on this space though.

    You can set the GUI auth to use a RADIUS or LDAP server and then the OTP or similar mechanism is up to the auth server.



  • You can use SSH ( key+pass ) and create tunnel to remote local-host web admin interface port, next step is to disable access to web admin from any other interfaces and SSH will be your only way to access the web admin interface.
    If you can setup another admin workstation ( sw&hw) that ca use the smart cards to keep the private key maybe this can be what you look for.



  • Doing OTP via LDAP/RADIUS isn't really that feasible for what we are looking at. I mean it isn't impossible, but not really something I'd like to pursue.

    I would encourage you to consider adding this, if feasible, as it is a nice security feature. A full implementation that integrates with AD and does enterprise certificate authentication would be cool, but that aside just something simple like SSH keys could work well. Just have the ability to add a public certificate for a user and then do a CAPI auth for that. Requires manually updating certificates and so on but gives people the ability to do 2-factor without needing an enterprise PKI setup. Just a Yubikey (or anything like it) and you are good.

    The SSH idea is one I may try. It will work fine, Putty-CAC works great with Yubikeys and will give you an SSH key that works properly and requests the right CAPI certificate. So it would work in that card+pin would be needed to access the system. I'll think about that and how much that gets us over just having Webadmin access restricted to a particular set of systems, which require card+pin anyhow.


Log in to reply