Solved: Two factor authentication for admin login
-
I have many users using openvpn. Then those users will not be able to connect through openvpn?
-
You want these many users to connect to the pfSense login page ?
I use IPsec IKEv2 for a VPN solution so I add the following as an Additional RADIUS Attributes (CHECK-ITEM) NAS-Identifier == strongSwan, this basically only allows connection if the request has come from strongSwan and the VPN user ID.
This basically disables users connected to my LAN using their FreeRADIUS accounts to log into the routers management page.
If you ssh to your router and run a shell, then type in radsniff -x, then connect via OpenVPN, you'll see the NAS-Identifier output to the console.
You'd need to create an account to log into the pfSense GUI and include Additional RADIUS Attributes (REPLY-ITEM) Service-Type = Administrative-User.
I'd add the Additional RADIUS Attributes (CHECK-ITEM) NAS-Identifier == ?????? as a precaution to the OpenVPN users.
-
pfSense won't care about
Service-Type
. It needs group membership or a username match.So you can have local users with the same usernames with appropriate permissions, or the much easier route, have groups on pfSense (like the default
admins
group) and then put something like this in the RADIUS user reply attribute:Class := "admins"
-
Basically you want to be able to test that entry from Diagnostics > Authentication and when you login with the RADIUS credentials it should tell you that the user is a member of the
admins
group. -
LOL yup I was looking at the wrong user
Service-Type = Administrative-User is for my Linksys switches.
-
I have 2 admins in our pfsense and other users for vpn.I selected Radius in Authentication Server in User Manager. But I still login with the username created in local database, plus I can't login with the username created in Radius. I checked credentials in Diagnostics, it says The following input errors were detected: Authentication failed.
-
If RADIUS login fails it falls back to local users, so your local admin user in pfSense will still work. That is a safety measure so that you don't get locked out by a broken RADIUS server.
You need to concentrate on fixing the RADIUS settings if the authentication is failing, something there still isn't quite right.
-
Is there a tutorial for this? I have another question. if there is no internet, can I still login into pfsense web gio with two factor authentication?
-
@emammadov said in Two factor authentication for admin login:
Is there a tutorial for this?
https://www.youtube.com/watch?v=n2Z3rr4W2xw
https://www.slideshare.net/NetgateUSA/radius-and-ldap-on-pfsense-24-pfsense-hangout-february-2018I have another question. if there is no internet, can I still login into pfsense web gio with two factor authentication?
Google Authenticator does not actually contact Google for anything. It's a mathematically calculated OTP value based on your own key, date/time, etc. It isn't actually tied to any Google service/account/login/etc. It's basically a Google-branded equivalent to mOTP.
-
Thanks. I tried and it worked. Along with the user created on Radius, I can also login with the user created on local database though I have chosen Radius in Authentication Server. You said it is a safety measure.
I have a question. I disabled webgui login for default local admin user "admin" and it works only on console. I wonder if Radius login fails, 1. can I add any user created on the local database to admins group on pfsense console and 2. enable webgui login for admin user? -
The local user fallback will work for any local user, it doesn't need to be
admin
. You can grant that user whatever privileges you want them to have. If adding them to theadmins
group is what you want, that will work. -
I mean, I have disabled local admin user, so it can't login via webgui, it works only on ssh and console. If Radous server suddenly fails, how can I enable local admin user on SSH so that I can login via webgui!?
-
Yes, I know what you meant. What I'm saying is you can keep the actual "admin" account disabled and have some other local account you use instead that is always available for use.
Forcing yourself to re-enable admin when RADIUS is down is not a proper or reliable process. You can do it by resetting the admin password from the console which should re-enable it, or try
pfSsh.php playback changepassword admin
from the shell.I wouldn't leave the firewall without some kind of active fallback authentication account though.
-
Thank you very much.
-
@jimp Hi jimp.
I just implemented that setup, and if I let the local admin user enable to dont be locked out, the problem is that we can always login with that user without 2FA. My other admin user in freeradius with "Class := "admins"" work well, but the one local continue to works too!I'm a little bit afraid to delete the local one. You said if Radius failed it will user local data base ... but if I dont have admin user in local database?!?!
Thanks!
-
It will always fall back to local database if RADIUS is down or rejects the login, for safety. If that's a concern, set the admin password to something suitably long/complex and store it somewhere secure in case of RADIUS failure, but don't give the password to anyone else.
Or just forget the password and reset it from the console if you ever need to get in locally.
-
@jimp
I understand, but for security reason, it it not better to dont have local admin user? My goal to create 2FA admin access is to securise Admin access. If the local user still exist, even with a strong password, the possibility to brute force it exist?!?!?!Maybe I'm better dont use 2FA with my admin user, user really strong password and add rules to stop bruteforcing!?!?!
What is your vision about that?
Thanks for your advices!
-
You cannot delete the admin account as it's required for the firewall to function.
There is brute force protection already in pfSense that makes that kind of attack impractical.
If you set the password to a random long string >70 chars it's highly unlikely anything could practically brute force that. Especially if you have the GUI properly protected.
-
@jimp Thanks a lot. With you response, I can't find any advantage to put in place 2FA for the Admin account. I will only use a really strong password! However, I will use my freeradius for my OpenVPN client!
Thanks again and have a good weekend! -
-
-
So I have this set up and working with Google Authenticator but I just noticed what I consider to me a major security flaw: any admin can reveal any other admin's PIN and INIT-SECRET.
This allows for any admin to easily impersonate any other admin. This means that it is not possible to be 100% sure that activity undertaken by any given admin was actually done by that admin. This makes pfSense non-complaint with basic security requirements for NIST/CMMC and probably many others with similar requirements to tie activity to a specific indiviual.
I suspect this was maybe just overlooked? Can a future update please fix this pretty serious and unnecessary risk?