OpenVPN proposal
-
FreeRADIUS server is installed and configured on pfSense firewall according to the official documentation https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa
Here is a description of the problem without my conclusions.When I authenticate on pfSense from OpenVPN Connect client:
- On pfSense Diagnostics - Authentication when I enter my username and PIN + OTP in password, I am authenticated.
- In OpenVPN Connect client, if I authenticate only with password (static-challenge "Enter OTP" 1 NOT PUSHED to client) and enter PIN + OTP in password field, connection is made.
- In OpenVPN Connect client, if I authenticate with static-challenge PUSHED to client, PIN as password and OTP entered in an additional window, the connection is rejected, authentication failed.
-
I got help from Netgate support regarding this issue, as a result, new feature request is opened: https://redmine.pfsense.org/issues/16558
Thanks to everyone in Netgate support, specially mr. Lev Prokofev, their response, explanation and help was excellent.
Issue with PIN and security still remains, I hope the rest will be resolved soon. -
@ivica.glavocic said in OpenVPN proposal:
When I authenticate on pfSense from OpenVPN Connect client:
On pfSense Diagnostics - Authentication when I enter my username and PIN + OTP in password, I am authenticated.So Freeradius expects PIN + OTP.
In the initial post you wrote it the other way round, so I was confused:
@ivica.glavocic said in OpenVPN proposal:
and freeradius server expects OTP + PIN.
This is the order how OpenVPN connect sends it.
But this is nothing, which can be changed in the OpenVPN server, as its best in the client.
The client send a hash of both to the server and OpenVPN frowards it to Freeradius for verification. OpenVPN itself doesn't see the PIN and OTP.Hence there should be an option either in Freeradius or in the VPN client software to change the order.
-
Actually my conclusion was wrong (I thought the order is wrong), this is the explanation from Netgate support:
When you have a static-challenge option, it means that the user sends a password => PIN only, and response => OTP only.
With basic config from our guide, the Radius expects to see just the password, so PIN+OTP in one response.
With FreeRADIUS on pfSense, static-challenge from OpenVPN Connect will FAIL by default, because FreeRADIUS never combines the static-challenge OTP with the password automatically. -
This is bad. I just connected to OpenVPN with freeRADIUS 2FA using only PIN + OTP, without user certificate.
-
@ivica.glavocic
If "strict cn-matching" is echecked in the server settings, the server should reject this connection attempt. -
Strict User-CN Matching is checked (Enforce match).
Client Certificate Key Usage Validation is checked (Enforce key usage).
OpenVPN service is restarted.Client certificate is deleted from pfSense, I can still connect with PIN + OTP.
-
@ivica.glavocic
Deleting the client certificate from pfSense does nothing at all, if the client is still sending the cert to the server. The OpenVPN server just verifies if the client cert is signed by the assigned CA.If you want to disable a client certificate you have to revoke it and assign the CRL to the server.
-
@viragomann said in OpenVPN proposal:
@ivica.glavocic
Deleting the client certificate from pfSense does nothing at all, if the client is still sending the cert to the server. The OpenVPN server just verifies if the client cert is signed by the assigned CA.If you want to disable a client certificate you have to revoke it and assign the CRL to the server.
Thanks for the info. Can you briefly write or point me to the documentation that explains how process of OpenVPN with 2FA on FreeRAIDUS works on pfSense?
-
@ivica.glavocic
I assumed, you realized this part already.
Anyway here is a blog from 2022: FreeRadius on pfSense software for Two Factor Authentication -
@viragomann thanks, got that before, I was more thinking about steps that are taken in connection process, maybe something like this:
- User enters username and PIN+OTP in OpenVPN Connect client
- OpenVPN Connect client sends that info to pfSense
- pfSense looks for username and PIN+OTP in freeRADIUS configuration
- User Certificate ... where and when does that fit in?