Multi-factor Authentication for Web GUI?

rsaanon · May 29, 2019, 8:13 PM

Does pfSense WebGUI support Multi-factor authentication (MFA)? I would like to limit web login to something more than just the password. Thanks!

johnpoz · May 29, 2019, 8:21 PM

https://forum.netgate.com/post/788636

Where you should limit access other than password is physical/L3 security... You should have to be on your management network or from your admin IP, in the first place to even be able to pull up the gui.

Rico · May 29, 2019, 12:31 PM

I use a dedicated management network for Admin access like the pfSense WebGUI, SSH and so on. There is no physical access to this network besides the engineering room itself.
Only three people including me have Multi-factor OpenVPN access into this network.

-Rico

Gertjan · May 29, 2019, 8:13 PM

@rsaanon said in Multi-factor Authentication for Web GUI?:

Does pfSense WebGUI support Multi-factor authentication (MFA)?

.... and when your WAN is down, how will MFA react ?
The other way around : a hacker would take WAN down to disable the MFA.

johnpoz · May 29, 2019, 8:14 PM

Yeah this ? comes up every now and then - and every time I just shake my head to be honest... Maybe they have some audit check box they need to check?

rsaanon · May 29, 2019, 8:21 PM

@johnpoz I do have L3 security in place via the FW rules as well as L2 security implemented via VLANs. I was considering a scenario where someone/somehow ;-) has access to the target subnet. So essentially I was looking to add another level of deterrence.

rsaanon · May 29, 2019, 8:25 PM

@Gertjan 2FA doesn't need Internet/WAN access, however.

Gertjan · May 29, 2019, 9:09 PM

@rsaanon : you're right. I answered to quickly.
For a moment I thought the correct time would be needed, but that isn't true neither.
For years I used some dongle that generated a 6 digit number, coupled with a login and a password. The dongle was stand alone, but it' serial was registred to my account - online.

Anyway : you'll be needing a separated device, most probably.

I tend more to use the basic answers : use LAN for GUI access - all other LAN interfaces (the OPTx) are for the public, with ports 80 and 443 towards the firewall locked down.
This setup hasn't been broken since - and will only be broken when people have access to the box.
Btw : my SSH access works with certs of course, no admin/password here.

stephenw10 · May 29, 2019, 10:01 PM

Yeah to do this in pfSense requires authenticating against an auth server, usually radius. That can be Freeradius running on the firewall though as in JimP's past linked above.

Steve

johnpoz · May 30, 2019, 8:06 PM

@rsaanon said in Multi-factor Authentication for Web GUI?:

I was considering a scenario where someone/somehow ;-) has access to the target subnet.

Ok so now this person has some how gained access to this secure network... Then they also need the actual password to the admin account.. So how is that not MFA?

So now you want not only 2 factor, you want 3 factor.. Physical access (which I would hope would be more then just plugging in a laptop to some open port) and somehow also knowing or guessing the admin password.. Which I would hope would be something other than P@55w0rd...

Really???

There is reason for MFA, when something is open to the whole freaking internet and they can spend all day guessing the password to my email account, there is another when to even put in the password you have to have bypassed physical/L3 security in the first place.

rsaanon · May 30, 2019, 8:06 PM

@johnpoz Thanks for responding. I was inquiring about MFA and not just 2FA. The admin password is secure and not the default or some variation of P@55w0rd. Switch ports on the Cisco switches are protected and therefore plugging in the laptop won't give necessary access. More than anything, I was just curious about pfSense & it's support for MFA/2FA.

Thanks
-r