Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Solved: Two factor authentication for admin login

    Scheduled Pinned Locked Moved General pfSense Questions
    33 Posts 9 Posters 31.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NogBadTheBadN
      NogBadTheBad
      last edited by NogBadTheBad

      LOL yup I was looking at the wrong user๐Ÿ˜ฅ

      Service-Type = Administrative-User is for my Linksys switches.

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 0
      • emammadovE
        emammadov
        last edited by emammadov

        I have 2 admins in our pfsense and other users for vpn.I selected Radius in Authentication Server in User Manager. But I still login with the username created in local database, plus I can't login with the username created in Radius. I checked credentials in Diagnostics, it says The following input errors were detected: Authentication failed.

        Elvin

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          If RADIUS login fails it falls back to local users, so your local admin user in pfSense will still work. That is a safety measure so that you don't get locked out by a broken RADIUS server.

          You need to concentrate on fixing the RADIUS settings if the authentication is failing, something there still isn't quite right.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          M 1 Reply Last reply Reply Quote 0
          • emammadovE
            emammadov
            last edited by

            Is there a tutorial for this? I have another question. if there is no internet, can I still login into pfsense web gio with two factor authentication?

            Elvin

            1 Reply Last reply Reply Quote 1
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              @emammadov said in Two factor authentication for admin login:

              Is there a tutorial for this?

              https://www.youtube.com/watch?v=n2Z3rr4W2xw
              https://www.slideshare.net/NetgateUSA/radius-and-ldap-on-pfsense-24-pfsense-hangout-february-2018

              I have another question. if there is no internet, can I still login into pfsense web gio with two factor authentication?

              Google Authenticator does not actually contact Google for anything. It's a mathematically calculated OTP value based on your own key, date/time, etc. It isn't actually tied to any Google service/account/login/etc. It's basically a Google-branded equivalent to mOTP.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 1
              • emammadovE
                emammadov
                last edited by emammadov

                Thanks. I tried and it worked. Along with the user created on Radius, I can also login with the user created on local database though I have chosen Radius in Authentication Server. You said it is a safety measure.
                I have a question. I disabled webgui login for default local admin user "admin" and it works only on console. I wonder if Radius login fails, 1. can I add any user created on the local database to admins group on pfsense console and 2. enable webgui login for admin user?

                Elvin

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  The local user fallback will work for any local user, it doesn't need to be admin. You can grant that user whatever privileges you want them to have. If adding them to the admins group is what you want, that will work.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • emammadovE
                    emammadov
                    last edited by emammadov

                    I mean, I have disabled local admin user, so it can't login via webgui, it works only on ssh and console. If Radous server suddenly fails, how can I enable local admin user on SSH so that I can login via webgui!?

                    Elvin

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Yes, I know what you meant. What I'm saying is you can keep the actual "admin" account disabled and have some other local account you use instead that is always available for use.

                      Forcing yourself to re-enable admin when RADIUS is down is not a proper or reliable process. You can do it by resetting the admin password from the console which should re-enable it, or try pfSsh.php playback changepassword admin from the shell.

                      I wouldn't leave the firewall without some kind of active fallback authentication account though.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • emammadovE
                        emammadov
                        last edited by

                        Thank you very much.

                        Elvin

                        1 Reply Last reply Reply Quote 0
                        • M
                          M0L50N @jimp
                          last edited by

                          @jimp Hi jimp.
                          I just implemented that setup, and if I let the local admin user enable to dont be locked out, the problem is that we can always login with that user without 2FA. My other admin user in freeradius with "Class := "admins"" work well, but the one local continue to works too!

                          I'm a little bit afraid to delete the local one. You said if Radius failed it will user local data base ... but if I dont have admin user in local database?!?!

                          Thanks!

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            It will always fall back to local database if RADIUS is down or rejects the login, for safety. If that's a concern, set the admin password to something suitably long/complex and store it somewhere secure in case of RADIUS failure, but don't give the password to anyone else.

                            Or just forget the password and reset it from the console if you ever need to get in locally.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              M0L50N @jimp
                              last edited by M0L50N

                              @jimp
                              I understand, but for security reason, it it not better to dont have local admin user? My goal to create 2FA admin access is to securise Admin access. If the local user still exist, even with a strong password, the possibility to brute force it exist?!?!?!

                              Maybe I'm better dont use 2FA with my admin user, user really strong password and add rules to stop bruteforcing!?!?!

                              What is your vision about that?

                              Thanks for your advices!

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                You cannot delete the admin account as it's required for the firewall to function.

                                There is brute force protection already in pfSense that makes that kind of attack impractical.

                                If you set the password to a random long string >70 chars it's highly unlikely anything could practically brute force that. Especially if you have the GUI properly protected.

                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                M 1 Reply Last reply Reply Quote 1
                                • M
                                  M0L50N @jimp
                                  last edited by

                                  @jimp Thanks a lot. With you response, I can't find any advantage to put in place 2FA for the Admin account. I will only use a really strong password! However, I will use my freeradius for my OpenVPN client!
                                  Thanks again and have a good weekend!

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ johnpoz referenced this topic on
                                  • johnpozJ johnpoz referenced this topic on
                                  • aaronsshA
                                    aaronssh
                                    last edited by

                                    So I have this set up and working with Google Authenticator but I just noticed what I consider to me a major security flaw: any admin can reveal any other admin's PIN and INIT-SECRET.

                                    This allows for any admin to easily impersonate any other admin. This means that it is not possible to be 100% sure that activity undertaken by any given admin was actually done by that admin. This makes pfSense non-complaint with basic security requirements for NIST/CMMC and probably many others with similar requirements to tie activity to a specific indiviual.

                                    I suspect this was maybe just overlooked? Can a future update please fix this pretty serious and unnecessary risk?

                                    M 1 Reply Last reply Reply Quote 0
                                    • N
                                      NiDeMa
                                      last edited by

                                      WARNING ABSOLUTE AMATEUR:
                                      It did not work for me when I followed just these steps. It did work when I followed the steps and added the following:

                                      1. SYSTEM->User management -> Edit admin user -> assign freeradius server certificate as user certificate.
                                      2. SYSTEM->User management -> Authentication servers -> protocol assign as PAP (did not test if this is necessary)

                                      It does work with google authenticator (PIN+generated passcode) BUT it also works with the old password that was set for admin. Is there a way to ensure that the old password does not work?

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        michmoor LAYER 8 Rebel Alliance @aaronssh
                                        last edited by

                                        @aaronssh did you open a redmine?
                                        I suppose the mitigation would be to create a netadmin account that all your admins use to login with 2FA.
                                        Agreed no one should see the PINs.

                                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                        Routing: Juniper, Arista, Cisco
                                        Switching: Juniper, Arista, Cisco
                                        Wireless: Unifi, Aruba IAP
                                        JNCIP,CCNP Enterprise

                                        JeGrJ 1 Reply Last reply Reply Quote 0
                                        • JeGrJ
                                          JeGr LAYER 8 Moderator @michmoor
                                          last edited by

                                          @michmoor said in Solved: Two factor authentication for admin login:

                                          Agreed no one should see the PINs.

                                          How exactly should that be achievable? A TOTP base key for calculation is a stored secret that has to be used by the software to calculate the codes so AFAIR that can't be encrypted in any meaningless form. And as admin users normally are ADMINs - or root equivalents - they can simply get that info from the system, whatever barriers you put up in front of them can always be avoided. That's a "key to the castle" problem. Every admin that has a REAL admin access also has the tools to delete logs, impersonate other users etc. on any other system, may it be Linux, Windows etc. so I don't see how that should be non-compliant with any requirement that can't be reached other then making admins "not real admins" that only have a subset of administrative power? As I don't know the specifics of NIST/CMMC requirements, please correct me if I'm wrong as I'm just curious here. E.g. if I'm a Windows Administrator there's no problem in resetting the password of a fellow admin and logging in as him/her or looking up stored credentials that aren't/can't be further encrypted? Or Linux users having access to sudo/su that can login as another user and delete the logs afterwards?

                                          Thanks & Cheers

                                          Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                                          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                          aaronsshA 1 Reply Last reply Reply Quote 0
                                          • jimpJ
                                            jimp Rebel Alliance Developer Netgate
                                            last edited by

                                            In addition to the OTP calculation needing the PIN/secret, with how RADIUS works with OTP, it has to be set for PAP, which means the payload is sent in the clear. So it's best to keep that on the box if possible. If you must connect to a remote RADIUS system, wrap the connection in a VPN, stunnel, or similar.

                                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.