Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal with two-factor authentication (2FA)

    Scheduled Pinned Locked Moved
    Captive Portal
    2
    2
    588
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Chris00
      last edited by

      Hello. I am implementing for a project at work a captive portal with Pfsense and FreeRADIUS which contains the login information of my users. I would like to implement two-factor authentication with Google Authenticator or mOTP but I can't. Can someone help me? Thank you.

      H 1 Reply Last reply Reply Quote 0
      • H
        Hourlind @Chris00
        last edited by

        @Chris00 Implementing two-factor authentication (2FA) in your captive portal using Pfsense and FreeRADIUS is a great way to improve the login security of your users. By adding an additional layer of verification beyond the user password, you can significantly reduce the risk of unauthorized access to your network.

        There are two main methods for implementing 2FA using Pfsense and FreeRADIUS:

        RADIUS clients. If your user authentication is handled by a RADIUS server other than FreeRADIUS, you can use the RADIUS client plugin for FreeRADIUS to integrate with Google Authenticator or other 2FA providers.

        Native FreeRADIUS Support: FreeRADIUS 3.x and later have native support for 2FA using RADIUS attribute extensions. This method is simpler and does not require additional plugins.

        Here's a general overview of how to implement 2FA using Google Authenticator:

        Install and configure Google Authenticator. Download and install the Google Authenticator app on your mobile device. Create an account on the Google Authenticator website to generate QR codes.

        Enable 2FA in Pfsense. In Pfsense, go to Radius -> Clients. Select the RADIUS client that uses your captive portal and enable the RADIUS Attribute Extensions option.

        Set up the 2FA attribute. Create a new RADIUS attribute, such as Google_Authenticator, and set its type to Vendor-Specific. The attribute value will be the Base32 encoding of the QR code generated by Google Authenticator.

        Update the users' RADIUS attributes. For each user in the RADIUS database, update their attributes to include a Google_Authenticator attribute with the corresponding QR code value.

        Set up a captive portal. In the adaptive portal configuration, add a 2FA verification step after successful password authentication. This step should redirect the user to a web page that displays the QR code and instructions for scanning it using the Google Authenticator app.

        Test and verify: Once configured, Two-Factor Authentication Methods verify it by logging into the captive portal using your user account. If the 2FA verification step appears and the user can successfully scan the QR code and enter the code provided by the application, the 2FA implementation is successful.

        Be sure to update documentation and user guides to inform them of the new 2FA requirements. Provide clear instructions on how to set up Google Authenticator on mobile devices and how to enter the 2FA code when logging in.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post