-
Hi
I wonder if anyone has seen this or can help.
I have configured 2FA for Admin access to all our pfSesnse firewalls in AWS.
I tested the 2FA which works.. I then created accounts and gave them to my Admin users.
This all works fine except one of our users then noticed that if he just uses his username and pin and doesn't add the OTP pin as well. He still gets into the GUI.
Regards, Justin
-
How do you have it configured? You used a guide?
-
@stephenw10 Hi.. Used the below guide which seems pretty straightforward.
https://www.comparitech.com/blog/vpn-privacy/pfsense-two-factor-authentication/
-
Hmm, in that guide the 2fa user is added as both a radius account and as a local account. For most users that shouldn't be required, you only need a local account if Radius is unavailable for some reason.
Try the same test with an account that only exists in Freeradius.
-
Hi... yes I have tried that but then you don't get access to the GUI to manage the FW
You need to tell the FW that you are an admin... which you can only do in the User Manager.
Regards, Justin
-
Hmm, I see. If you set a completely different password in the local account I assume it will fail though?
-
Hi... so if I set a radmom PW it lets me in with my 2FA as I would like. But guess it will still let me in with the random local PW I have set too
So you still have a local PW for that account that doesn't require 2FA if that makes sense?
-
Yes, that was more of a test to be sure it was using the local account when radius fails. However if you never send that password or never even know what it is it's very unlikely to be compromised.
You might try setting the local account as 'unable to login'.Digging further....
-
Bingo! setting the local account as 'unable to login' has resolved the issue.
Thanks very much for your help.
Regards, Justin
-
Ah, interesting! That's good to know.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.