%201.png?width=302&name=Netgate%20Logo%20PMS%20(horizontal)%201.png "NetgateColorLogoRegisteredRGB.png")
In this post, you will learn how to use Google Authenticator as a method of two-factor authentication. The user will be able to log in to the OpenVPN remote-access service using their username and a combination of their PIN and the 6-digit number on their Google Authenticator app.
Two-factor authentication often referred to as “2FA”, is an identity and access management method that requires two forms of identification to access resources and information. 2FA allows users to monitor and help safeguard their most vulnerable information and networks.
2FA's security comes in two parts:
- something you know (like a username/password)
- something you have (like a key, a token, or a certificate set)
In its default configuration, OpenVPN on pfSense Plus uses 2FA in the form of username/password combinations and certificates that reside on the user’s computer. This may not fully satisfy the needs of the enterprise, which is why pfSense Plus provides multiple options for authentication.
The primary component in this configuration is the addition of the FreeRADIUS package. The FreeRADIUS service will perform the authentication checks against the Google Authenticator and determine if the user should be allowed to authenticate to the OpenVPN service.
Step 1 - Installing FreeRADIUS
First, you must install the FreeRADIUS package by logging into the pfSense Plus web GUI, navigating to System > Package Manager, and clicking the tab for Available Packages. Scroll down to the FreeRADIUS package and click Install.
Step 2 - Basic Configuration
Once installed, you can navigate to Services > FreeRADIUS and begin configuring the service by clicking the Settings tab. Scroll down near the bottom and enable Mobile One-Time-Password (OTP) support by clicking on the checkbox. Leave all other values as default, and save.
Step 3 - Create a Listener Port
Next, we must configure FreeRADIUS to listen for authentication requests. We do this by creating an interface. Click on the Interfaces tab and click the green Add button. Fill the form out like this and click Save:
Your new listening interface should look like this:
Step 4 - Allow FreeRADIUS to Accept Incoming Queries
The RADIUS server will not answer authentication requests from clients it does not know about, so we need to define the firewall as a client. Click on the “NAS/Clients” tab and click Add. You should only need to fill out the top portion of the form and click Save. Make sure you remember the “Client Shared Secret” that you enter here:
Step 5 - Creating a User
Finally, you must create a user in FreeRADIUS that will use the Google Authenticator to authenticate to the OpenVPN service. The way this works is like this:
- The user chooses a PIN (personal ID number)
- When the user logs into the VPN service, they will prepend their PIN to the 6-digit code provided by the Google Authenticator app.
Let’s create a new user called “testuser” with a PIN of 1234. Navigate to the Users tab and click the Add button. Fill in the username, but DO NOT fill in a password. Instead, scroll down and click the checkbox to enable the One-Time Password for this user. For the OTP Auth method, choose Google Authenticator.
Scroll down further, click the Generate the OTP Secret button, and enter the user’s PIN below.
Finally, to make it easier for the user, you may generate a QR code that the Google Authenticator app may scan. You can either show this QR code to the user or save the image and transmit it securely so they can personally scan it.
Scroll down and save, leaving everything else as default. Once scanned, the user can use the combination of their PIN plus the 6-digit code from Google Authenticator to log in.
Step 6 - Adding FreeRADIUS as an Authentication Source
The final step will be to add FreeRADIUS as an authentication source in pfSense Plus. To do that, navigate to System > User Manager, click on the Authentication Servers tab, and click Add. Fill out the form like this, and remember to set the Protocol to PAP:
Your shared secret is the one you chose from the NAS/Clients configuration. Click Save, and you are ready to use FreeRADIUS for authentication.
Step 7 - Testing FreeRADIUS
Before you set up a service to authenticate from FreeRADIUS, it’s a good idea to test it first. You may test your setup by navigating to Diagnostics > Authentication and choosing FreeRADIUS as the Authentication Server.
Enter your username that was created earlier, and in the password field, type the 4-digit PIN (in our case, 1234) along with the 6-digit code from Google Authenticator (in our case, 693953), making the whole password field to be “1234693953” and click Test. If all goes well, you should see the green banner indicating success.
Step 8 - Configuring OpenVPN from the Wizard
Once you have successfully tested the setup, you may go on to use it with different services. In this example, you will use it to authenticate an OpenVPN user. Navigate to VPN > OpenVPN and click the Wizard tab. For Type of Server, choose RADIUS, and click Next.
Choose the FreeRADIUS server and click Next.
For Certificate Authority, click “Add new CA” and
Fill out the form appropriately and scroll down to click Add.
For Certificate, click “Add New Certificate.”
In the Descriptive Name field, enter “OpenVPN,” scroll down to the bottom and click Create New Certificate.
Fill out the following form, providing the Description (“OpenVPN” sounds reasonable), then scroll down and enter the tunnel network (10.0.8.0/24 in this example) and the local network (172.17.1.0/24) in this example. For Concurrent Connections, 50 would probably suit most purposes. Increase or decrease this number as you see fit. Scroll down to the bottom and click Next.
On the final page, click the checkboxes to add the necessary firewall rules and click Next, then Finish. Your OpenVPN server is now ready for use.
All OpenVPN users should now be configured in FreeRADIUS and NOT in the System > User Manager. You may download the OpenVPN Client Export package to provide VPN clients and configurations to your users.
Using FreeRADIUS with Google Authenticator is just another example of the versatility of pfSense Plus.
Frequently Asked Questions About FreeRadius and pfSense Authentication
General FreeRadius Questions
Does pfSense have Radius capabilities?
Yes, pfSense includes Radius functionality through the FreeRadius package, which is available in the package manager. This open-source Radius server provides enterprise-grade authentication capabilities for various services including OpenVPN, Captive Portal, and wireless networks. The implementation offers full features expected from a commercial Radius solution while maintaining the flexibility and customization options that pfSense users have come to expect.
Does FreeRadius have a GUI?
Yes, once installed on pfSense, FreeRadius can be fully configured through the pfSense web interface. The configuration interface is accessible through Services > FreeRadius, providing a comprehensive set of management options for users, clients, interfaces, and authentication settings. The GUI makes it straightforward to configure complex authentication scenarios without needing to edit configuration files directly.
How do I use the FreeRadius client?
The FreeRadius client configuration process begins with setting up a NAS/Client entry that includes the client's IP address and a shared secret. You'll need to configure appropriate timeout values and define your authentication methods, such as PAP or CHAP, based on your security requirements. The final step involves configuring your specific service, whether it's OpenVPN, Captive Portal, or another authentication-dependent service, to communicate with the Radius client using the credentials you've established.
Integration and Authentication
How to integrate FreeRadius with LDAP on pfSense?
Integrating FreeRadius with LDAP on pfSense involves configuring your LDAP server settings within the FreeRadius interface. You'll need to set up the appropriate bind credentials and define LDAP search filters that match your organization's directory structure. The integration process requires careful attention to user attributes and authentication parameters to ensure seamless operation. Once configured, you can verify the setup using the authentication testing tool found under Diagnostics > Authentication in the pfSense interface.
Can I use existing LDAP instead of FreeRadius?
While pfSense can authenticate directly against LDAP without FreeRadius, using FreeRadius as an intermediary provides several advantages. FreeRadius adds enhanced logging and monitoring capabilities, more flexible authentication policies, and support for multiple authentication sources. It also enables advanced features like VLAN assignment and two-factor authentication options. This makes FreeRadius particularly valuable in environments where sophisticated authentication scenarios or detailed access control is required.
How do I integrate FreeRadius with pfSense for Wi-Fi authentication?
Setting up wireless authentication through FreeRadius begins with installing the package and configuring a wireless interface in FreeRadius. You'll need to establish your wireless access point as a Radius client and implement WPA2-Enterprise on your wireless network. The process includes creating user accounts or linking to an external authentication source, along with configuring the necessary firewall rules to permit authentication traffic. This setup provides enterprise-grade wireless security with centralized authentication management.
Captive Portal Configuration
How to Configure Authentication for Captive Portal?
Configuring Captive Portal authentication begins in the Services > Captive Portal section of pfSense. You'll select FreeRadius as your authentication server and configure essential portal settings including timeout parameters and concurrent connection limits. The process includes customizing the login page to match your organization's branding and creating the necessary firewall rules to manage portal traffic. User accounts must be properly configured in FreeRadius to ensure smooth authentication through the portal.
How to Configure the Captive Portal Login Page?
Customizing the Captive Portal login page is accomplished through the built-in HTML editor in the Services > Captive Portal section. You can modify the CSS styling to match your organization's visual identity and add your company logo. The authentication form can be tailored to your specific needs while maintaining functionality. Testing across different devices ensures a consistent user experience regardless of how users access the portal.
OpenVPN and Two-Factor Authentication
How to set up OpenVPN with Google Authenticator on pfSense?
Setting up OpenVPN with Google Authenticator requires the FreeRadius package with OTP support enabled. The configuration process involves creating user accounts with Google Authenticator integration and configuring OpenVPN to use FreeRadius for authentication. Once the basic setup is complete, you'll need to distribute client configurations to your users and thoroughly test the authentication process to ensure it works seamlessly.
Which NAS Device Should I Choose?
Selecting the appropriate NAS for Radius authentication depends on several key factors. Consider your expected number of concurrent users and the authentication methods you'll need to support. The device should be compatible with your existing network infrastructure and provide adequate performance for your authentication loads. Security features and future scalability needs should also factor into your decision-making process.
Troubleshooting and Support
Common Authentication Issues
Authentication problems often stem from mismatched client shared secrets or incorrect firewall rules blocking Radius ports. When troubleshooting, verify your NAS/Client configuration and examine system logs for authentication failures. Connection issues between the authentication server and clients should be verified, along with user credentials and group memberships. Most authentication problems can be resolved by methodically checking these common points of failure.
Where Can I Find Additional Help?
A wealth of support resources is available for pfSense and FreeRadius users. The Netgate Forums provide a vibrant community where users share experiences and solutions. Official documentation for both pfSense and FreeRadius offers detailed technical guidance.