Question about PAM authentication

  • I want to add a second layer of security to my openvpn setup by requiring a username/password on each client in addition to certificates.  I noticed that Captive Portal has a user manager and even though i'm not using Captive Portal in my environment, I was wondering if I could use its user manager for my VPN users.  We're a small environment and we think there will be less than 5, maybe 10 max users connecting to the vpn.  Where is Captive Portal storing its user table and i'm assuming thats PAM accessible with little modification right?

    If I could plug in a user and an expiration on a login, and then a few days later remove that user and they're not able to login that would work out excellent for what we need.  I see the Captive Portal user manager allows you to place an expiration on usernames/passwords.  I'm using the embedded version but I am gonna try plugging the openvpn-auth-pam plugin in there and testing it tomorrow.  I just hope PAM can locate the passwords saved by Captive Portal.  If anyone has any experience tweaking something like this with openvpn please chime in.  I'm reading the openvpn mailing lists and I know its possible with radius but since the embedded version of pfsense doesnt include freeradius i'm kinda screwed in that regard.  I guess I could install radius on one of our Windows Servers but i'd like to keep it all contained in pfsense if I can (user management, etc).  If none of this works out then… I'll have to get rid of the CF and use hard drives instead I guess...

    Any help would be greatly appreciated!

  • the usermanager of the captiv portal is storing it usernames and ww in the config.xml file