Multi-factor Authentication for Web GUI?



  • Does pfSense WebGUI support Multi-factor authentication (MFA)? I would like to limit web login to something more than just the password. Thanks!


  • LAYER 8 Global Moderator

    https://forum.netgate.com/post/788636

    Where you should limit access other than password is physical/L3 security... You should have to be on your management network or from your admin IP, in the first place to even be able to pull up the gui.


  • LAYER 8 Rebel Alliance

    I use a dedicated management network for Admin access like the pfSense WebGUI, SSH and so on. There is no physical access to this network besides the engineering room itself.
    Only three people including me have Multi-factor OpenVPN access into this network.

    -Rico



  • @rsaanon said in Multi-factor Authentication for Web GUI?:

    Does pfSense WebGUI support Multi-factor authentication (MFA)?

    .... and when your WAN is down, how will MFA react ?
    The other way around : a hacker would take WAN down to disable the MFA.


  • LAYER 8 Global Moderator

    Yeah this ? comes up every now and then - and every time I just shake my head to be honest... Maybe they have some audit check box they need to check?



  • @johnpoz I do have L3 security in place via the FW rules as well as L2 security implemented via VLANs. I was considering a scenario where someone/somehow ;-) has access to the target subnet. So essentially I was looking to add another level of deterrence.



  • @Gertjan 2FA doesn't need Internet/WAN access, however.



  • @rsaanon : you're right. I answered to quickly.
    For a moment I thought the correct time would be needed, but that isn't true neither.
    For years I used some dongle that generated a 6 digit number, coupled with a login and a password. The dongle was stand alone, but it' serial was registred to my account - online.

    Anyway : you'll be needing a separated device, most probably.

    I tend more to use the basic answers : use LAN for GUI access - all other LAN interfaces (the OPTx) are for the public, with ports 80 and 443 towards the firewall locked down.
    This setup hasn't been broken since - and will only be broken when people have access to the box.
    Btw : my SSH access works with certs of course, no admin/password here.


  • Netgate Administrator

    Yeah to do this in pfSense requires authenticating against an auth server, usually radius. That can be Freeradius running on the firewall though as in JimP's past linked above.

    Steve


  • LAYER 8 Global Moderator

    @rsaanon said in Multi-factor Authentication for Web GUI?:

    I was considering a scenario where someone/somehow ;-) has access to the target subnet.

    Ok so now this person has some how gained access to this secure network... Then they also need the actual password to the admin account.. So how is that not MFA?

    So now you want not only 2 factor, you want 3 factor.. Physical access (which I would hope would be more then just plugging in a laptop to some open port) and somehow also knowing or guessing the admin password.. Which I would hope would be something other than P@55w0rd...

    Really???

    There is reason for MFA, when something is open to the whole freaking internet and they can spend all day guessing the password to my email account, there is another when to even put in the password you have to have bypassed physical/L3 security in the first place.



  • @johnpoz Thanks for responding. I was inquiring about MFA and not just 2FA. The admin password is secure and not the default or some variation of P@55w0rd. Switch ports on the Cisco switches are protected and therefore plugging in the laptop won't give necessary access. More than anything, I was just curious about pfSense & it's support for MFA/2FA.

    Thanks
    -r


Log in to reply