Post a Reply
770 views

pfSense OpenVPN Setup with FreeRadius3 2fa Authentication: Part 2 (FreeRADIUS 3 Setup)

  1. 3 months ago
    Edited 3 months ago by Men in Black

    Part 1: OpenVPN Setup
    Part 2: FreeRADIUS3 Setup
    Part 3: Final Setup – Connecting the Two

    PART 2: FreeRADIUS 3 Setup (standalone installation)

    Begin simply by installing the FreeRADIUS 3 (current version: 0.15) package by going to System: Package Manager: Available Packages and clicking Install.

    Once installed, we’ll begin the setup by going into the Services menu, then FreeRADIUS.

    pfinterfaces-7.jpg

    From here we will start by setting up a new listening interface for FreeRADIUS. Go to the Interfaces tab and click Add.

    interfacedetails-1.jpg

    Interface IP Address: 127.0.0.1 – unless you plan on utilizing freeRADIUS authentication for other purposes outside of your pfSense installation you will want to limit this to localhost only.
    Port: [keep default]
    Interface Type: Authentication
    IP Version: [keep default] (unless you are using IPv6/both for LAN)
    Description: Enter a description here for the interface’s purpose.
    Once done, hit Save.

    We will now add a NAS client. Navigate to the NAS / Clients tab, then click Add.

    NASdetails-1.jpg

    Client IP Address: Again, you will want to bind this to localhost (127.0.0.1)
    Client IP Version: IPv4 (unless using IPv6/both)
    Client Shortname: Enter a name that identifies the NAS’ purpose like “OpenVPN”
    Client Shared Secret: Use a password generator to create a 31-char password. You will need this again later in setup so record it somewhere.

    Description: Enter a description of the purpose of the NAS (“OpenVPN Auth”, etc.)
    Once done, hit Save.

    We will now add FreeRADIUS as an authentication server so it’s available within pfSense. Go into the System menu, then User Manager, then the Servers tab. Click Add.

    NASdetails3.jpg

    Change Type to RADIUS.

    NASdetails4.jpg

    Descriptive Name: Short description of server purpose
    Type: RADIUS
    Hostname or IP Address: localhost (127.0.0.1)
    Shared Secret: Enter here the shared secret you generated in previous step.
    Services Offered: Change to Authentication
    Authentication port: [keep default]
    Accounting port: [NA] – not used with accounting option off
    Authentication Timeout: [blank]

    Once complete, hit Save.

    We can now create our first user to test authentication and make sure we have everything properly configured so far between pfSense + FreeRADIUS.

    Go into the Services menu and go to FreeRadius, then the Users tab. Click Add.

    usercreate-1.jpg

    Username: whatever you wish
    Password: leave blank as we will be configuring OTP + PIN method
    Password Encryption: [keep default]
    One-Time Password: Click to Enable
    OTP Auth Method: Change to Google-Authenticator
    Init-Secret: Click to Generate OTP Secret
    PIN: Choose a 4-8 character pin
    Time Offset: [keep default]
    QR Code: Click Generate QR Code

    At this point you will want to open Google Authenticator on your mobile device and scan the QR barcode to add.

    usercreate-2.jpg

    Successfully added it should display “FreeRADIUS (%username%)” and your current OTP.
    Click Save at the bottom of the screen.

    Now we will test authentication to confirm that our PIN + Google Auth OTP are functioning correctly. Go to the Diagnostics menu, then Authentication.

    testuser-1.jpg

    Change the Authentication Server to your new FreeRadius server.
    Username: username
    Password: PIN followed by OTP
    If unsuccessful, try waiting 60 seconds for the OTP code to change and try again. If it is still not working, go back into the new user you created. Generate a new Init-Secret + QR code, save, and try again.
    If all went well you should get a message back that you’ve authenticated successfully and you can move on to the next step. You may want to review other general settings within the FreeRADIUS package especially if you’d to configure extra logging features, etc. Note you do not need to enable “Mobile-One-Time-Password Support” for Google Authenticator use.

 

or Sign Up to reply!