Still no 2FA?
-
So, what's the deal with no 2FA support?
This is an enterprise grade firewall, how is there still no 2FA for the webUI.
What are the reasons for this?
Thanks
-
We are actually moved all admin users under FreeRadius 2FA auth. No issues so far.
-
@psp Yea I was looking at this, looks like a lot of work though. How long did the setup take?
I'm just surprised this is not built in.
-
We have about 15 admins. Half an hour to setup the radius server (we use the internal one, i.e. freeradius3) and 5 minutes to create each new admin user. This configuration supports HA if required.
-
@deanfourie said in Still no 2FA?:
I'm just surprised this is not built in.
So freerad is click to add to pfsense, how is it not built in? You looking for a click and dropdown menu to setup 2fa?
I think there is lack of understanding of what constitutes mfa to be honest.. So any sane setup of a device like a firewall should be limited to what network/devices can access it in the first place. So location of auth is a factor. Now maybe this is just your lan.. But what it should be is secured network that only admins can be on. So that is 1 factor.. Now they need username+password = 2fa by the very definition of what 2fa is.. Do you allow access to the firewall via the public internet?
So mfa auth can be made up multiple(s) of these attributes
- A knowledge factor is something the user knows, such as a password, a PIN etc..
- A possession/have factor is something the user has, such as an ID card, a laptop, security token, cellphone, etc
- A biometric or something you are factor, ie something inherent in the user's physical self.
- A location factor is usually denoted by the location from which an authentication attempt is being made.
- A time factor restricts user authentication to a specific time window in which logging on is permitted and restricts access to the system outside of that window.
Maybe missing something but lets take these 5.. And walk through some scenarios/setups.
So to auth to pfsense
Username and password = 1 factor
Have to be on the secured "admin" network or IP. = another factor.. So unless you allow login to your firewall from the public internet?There is 2fa auth right there if you ask me.
Other factors that should/would be involved in access to this firewall. Could be another something you have, for example your ID to even get in the building to be able to get on the network/room that can even access the firewall. Or maybe even biometric, fingerprint to access the building or IT dept. Or server room or etc..
Other factors to be considered, to get on this "admin" network its possible you have to do some sort of 802.1x auth to connect this device not just just walk in off the street and plug into some port or connect to some open wifi network. So this could be something you have - work laptop that is pre setup to get on this admin network, also something you know the username+password to even login to the laptop you have.
So if we walk through a typical possible process of accessing the firewall gui
ID to get into the building, laptop that is company laptop and allowed to access the network. Username and password to login to this laptop. Username and password to access pfsense gui. So I count 2 things you have (id and work laptop) and 2 things you know. Login to this laptop and login to pfsense = 4fa
So unless this pfsense is say just sitting in the open or in an unlocked closet in a public building that requires no form of auth to enter your satisfying mfa..
Some token or sms sent to a different device is just one of the ways to control access. But it is not the get all end all to having 2fa..
edit:
So past company I worked at.. These are factors you would have to do to get access to any sort firewall/router/switch on the network.You had to thumbprint to get into the office.. To get into the server room or network closets you needed a badge to scan at the door. So even if you were going to console in ie physical access you had to have 2 factors. Your thumbprint and badge.
But typically thumb to get in. Work laptop to access the network, because 802.1x was enabled - you couldn't just plug any laptop into any network port on some cube. Also even if you passed 802.1x in some cube, ie a company laptop.. To access the admin network you had to use specific cubes ports, and your laptop had to be specific setup to access this network.
Now I needed to auth to my laptop.. Which required a tiks card not just username+password, if you just found my laptop on the street wouldn't do you any good.
Now to access the devices from this "admin" network you also needed to auth to the admin network - not just be plugged into the network that can auth. So this required a different username and password. Now once was on this network, you could access network devices. And then you needed username and password to auth this device.
So how many factors is that? Well over 2 that is for sure ;)