Wednesday, December 30, 2020

Multi-Factor Authentication for the PfSense WebGUI

 Multi-Factor Authentication for the PfSense WebGUI

1. Download the "freeradius3" package

 2. Navigate to the FreeRADIUS option listed under the "Services" tab

3. Go to the "Interfaces" tab and click the green "Add" button

4. Put "Authentication" in description and hit save

5. Click "Add" again

6. Change Port to 1813

7. Change interface Type to Accounting"

8. Put "Accounting" in the description and hit save

9. Go to the "NAS/Clients" tab and click "Add"

10. Under General Configuration put "" as the Client IP address

11. Put "RadServer" (or whatever you want) in in the "Client Shared Secret"

12. Put a shared secret (keep up with shared secret)

13. Save

14. Navigate to "User Manager" under the "System" tab on the top bar of the pfSense menu

15. Go to "Authentication Servers" and click "Add"

16. Under Server Settings enter descriptive name

17. Change type to "RADIUS"

18. Under RADIUS Server Settings put "" as the "Hostname or IP address"

19. Change the "RADIUS NAS IP Attribute" to LAN

20. Enter same shared secret from step 12

21. Hit save

22. Navigate back to the "FreeRADIUS" package under the "Services" tab

23. Under the "users" tab click "Add"

24. Create a username and password and click save

25. Test by going to "Authentication" listed under the "Diagnostics" tab on the top menu of the pfSense

26. Change Authentication Server to "RadServer" (or whatever you named the server) and enter your credentials

27. Click "Test"

28. If successful it will say "User authenticated successfully"

29. Navigate back to "User Manager" under the "System" tab and click on "Authentication Servers"

30. Click the edit button on your "RADIUS" type server

31. Under the "RADIUS server settings" change the Protocol to "PAP" and click "Save"

32. Navigate to the "FreeRADIUS" package under "Services" and click on the "Settings" tab

33. Scroll down to the "Mobile-One-Time-Password Configuration" area and check the box beside "Mobile-One-Time- and click "Save"

34. Click on the "Users" tab and click to edit previously created     user

35. Scroll down to the "One-Time Password Configuration" area

36. Check box beside "One-Time Password"

37. Change "OTP Auth Method" to "Google-Authenticator"

38. Click blue "Generate OTP Secret" (copy this secret somewhere easily accessible as it will be used by the user to set up his Google Authentication on his mobile device)

39. Enter a pin ***MUST BE NUMBERS ONLY***

40. Under the "General Configuration" area remove password (password area must be blank)

41. Click "Save"

42. On the clients phone, download the  Google Authenticator app

43. Click the add button (a "+" sign on the Apple app)

44. Click "Manual entry" 

45. Enter the username from step 24 

46. Enter the OTP Secret from step 38

47. Hit save

48. Credentials are the Username from step 24, and the password is the PIN from step 39 plus the code given on the Google Authenticator app. So if you entered a PIN of "1234" on step 39 and Google Authenticator had a code of "123 4567" your password would be "12341234567"

49. Go to System / User Manager / User and click Add

50. The Username must be the exact same as one of the users you created on the FreeRADIUS service (that was step 23).

51. Create a password (I recommend a VERY long and difficult password, as pfSense will recognize this password as well as your OTP with Google Authenticator as a fail-safe in case your FreeRADIUS quits working). 

52. Add to the "admins" group and click Save. 

53. Go to Settings and change the Authentication Server to your FreeRADIUS server and hit Save.

54. Go back to the FreeRADIUS service and click to edit the user you are using for the WebGUI multi-factor authentication.

55. Scroll down to the "Advanced Configuration" area near the bottom of the page, and enter Class := "admins" into the Additional RADIUS Attributes (REPLY-ITEM) box. Click Save.

56. Test your login to make sure it works with the PIN+OTP from Google Authenticator (ie if you entered a PIN of "1234" on step 39 and Google Authenticator had a OTP code of "123 4567" your password would be "12341234567").