Web Admin Two Factor Authentication



  • Hi,

    I'm sure this must have been asked before but I can't find any related to two factor authentication that doesn't relate to OpenVPN.

    Is there a way to add two factor authentication to the pfsense web gui?

    Thanks
    Dan


  • Rebel Alliance Global Moderator

    In what scenario does that make any sense?

    The web gui for starters should only be available via management network.  Only trusted "management" computers should be on this network.  Only admins should have access to these machines, and the logins for these machines and the access to this network.  Why are you now going to make their jobs even more difficult by require yet another auth method?

    Lets say something is broken and not working, ie like the internet.. Or dns on pfsense, etc.. How is the 2fa going to function to allow the admin in to fix it, etc.

    The web gui of your firewall should not be open to the public or unsecured users.. If it is - your doing it wrong ;)  Since it should only be allowed to be accessed at a network level by trusted people, and they have been given login info.  Some other form of 2fa is just over the top don't you think.



  • @dan_j:

    Hi,

    I'm sure this must have been asked before but I can't find any related to two factor authentication that doesn't relate to OpenVPN.

    Is there a way to add two factor authentication to the pfsense web gui?

    Thanks
    Dan

    Hi Dan, I don't believe MFA functionality to the WebGUI is available out-of-the-box, but it's a cool idea for defense in depth.  Maybe something TOTP-based that doesn't require any connectivity whatsoever (such as Google Authenticator, Authy, etc.).


  • Rebel Alliance Developer Netgate

    Install FreeRADIUS package. Setup users and Google Authenticator. Setup an entry in the Auth Servers for FreeRADIUS on Localhost. Set GUI to use the local RADIUS server for GUI auth. Done.



  • @johnpoz:

    In what scenario does that make any sense?

    It makes sense in any scenario, IMO :)
    It's a very outdated idea that just b'cuz you are behind a VPN or comning form a managment-network everything is secure. The interface as important and sensetive as pfSense GUI should always have the MFA enabled. VPN, [n]ACL etc. only protects from possible external threat but not that much for internal ones. In many cases you need to give people access to VPN and your managment-network but not all of them need to have acces to FW interface and a stolen/misplaced password can do the trick easily. Some organizations (like ours) don't allow any login (internal or external) without MFA at all. It's certainly a very good idea to have MFA enabled and the should be considered as an security enhancement.