configure 2FA GUI access in pfSense

pfSense a very powerful, open-source-based router/firewall and it’s geared towards security out of the box. But that doesn’t mean it can’t be hardened a little bit. Being a router/firewall, pfSense is in a privileged position to “see” your network’s traffic. So securing access to your pfSense box is going to be critical. The usual advice will, of course, apply here:

  • Create a non-root user to access the pfSense GUI
  • Use a strong password to protect that account

But that’s just the start. You can further secure access to your pfSense box with two-factor authentication for GUI access. In this article, we explain how to setup pfSense two-factor authentication for GUI access.

Note: Netgate, the company behind pfSense’s development, recently started producing two forks of the project:

  • pfSense CE
  • pfSense Plus

pfSense CE, which stands for Community Edition, is the fully open-source version of pfSense. pfSense Plus is open-source-based but with extra features added using proprietary code. While both are free for individual users, we’ll be using pfSense CE in this guide.

This guide assumes you have a working pfSense configuration with a WAN and a LAN interface already set up.

pfSense - CP - Dashboard

What is 2FA?

2FA, or two-factor authentication, is an authentication scheme that uses your password while requiring a second factor for authentication. The second factor is typically a one-time password that’s dynamically generated. It can be sent to you by text message, but a better (and more secure) way is to use an authenticator app that dynamically generates one-time passwords for you. 2FA’s basic mantra for authentication is to use something you know (your password) with something you have (your phone, your authenticator app).

Many, if not most, service providers today support 2FA, and, likely, you’re already using it on some of your accounts. It makes sense to lock down pfSense GUI access with 2FA – especially in an enterprise environment.

Let’s get started. The first thing we need to do is install the FreeRADIUS package from pfSense’s software repository.

Installing FreeRADIUS

FreeRADIUS is an open-source implementation of the Remote Authentication Dial-In User Service (RADIUS) protocol, which provides authentication, authorization, and accounting to users connecting to a network.

pfSense’s 2FA implementation relies on FreeRADIUS for authentication, so our first step will be to install the package.

  1. From the top menus, select System > Package Manager. The Installed Packages page is displayed. pfSense - CP - Go to Package Manager
  2. Go to the Available Packages page. pfSense - CP - Go to Available Packages
  3. Scroll down the page until you see freeradius3 and click Install. The Package Installer window is displayed. pfSense - CP - Package Manager - FreeRADIUS
  4. Click Confirm to begin the installation. pfSense - CP - Install FreeRADIUS - Confirm
  5. Once the installation is complete, you should see Success displayed at the bottom of the Package Installation window. We’ve successfully installed FreeRADIUS. pfSense - CP - FreeRADIUS - Installed

Configuring FreeRADIUS

We’re now going to configure FreeRADIUS for two-factor authentication.

Enabling one-time password support

  1. From the top menus, select Services > FreeRADIUS. You’re taken to FreeRADIUS’s main configuration page. pfSense - CP - Go to FreeRADIUS
  2. Click on the Settings tab and scroll down the page until you see the Mobile-One-Time-Password Configuration section.
  3. Tick the Enable Mobile-One-Time Password Support box.
  4. Set the Hash Algorithm to SHA256. pfSense - CP - Enable MOTP

Creating a listener port

Now that we’ve enabled one-time password support in FreeRADIUS, we need to configure it to listen for authentication requests.

  1. Select the Interfaces tab from the FreeRADIUS top menus. The Interfaces page is displayed. pfSense - CP - Interfaces Tab
  2. Click Add. The Interfaces General Configuration page is displayed. pfSense - CP - Add Interface
  3. Leave all the settings at the default values, add a description if you like, and click Save. This configuration will have FreeRADIUS listening on all interfaces on your system. pfSense - CP - Interface Settings
  4. You’re taken back to the Interfaces main page, which should look like this: pfSense - CP - Configured Interface

Adding a NAS/Client

FreeRADIUS will only accept authentication requests from clients it “knows.” So we need to define the pfSense box itself as a FreeRADIUS client.

  1. Go to the NAS/Clients tab of the FreeRADIUS settings. The NAS/Clients main settings page is displayed. pfSense - CP - NAS/Clients Tab
  2. Click Add. The NAS/Clients General Configuration page is displayed. pfSense - CP - Add NAS/Client
  3. Enter in the Client IP Address field.
  4. Select IPv4 from the Client IP Version drop-down menu.
  5. Enter a Client Shared Secret. The client shared secret is used for secured communication between the FreeRADIUS server and the NAS/Client. It should be a long, complex string of letters, numbers, and symbols. FreeRADIUS supports shared secrets of up to 31 characters in length.
  6. Click Save. pfSense - CP - Configured NAS/Client
  7. You’re taken back to the main NAS/Clients settings page, which should look like this: pfSense - CP - NAS/Client After Config

Creating a 2FA user

The next step is to create a FreeRADIUS user that can authenticate using 2FA with FreeRADIUS.

  1. From the FreeRADIUS main settings page, select the Users tab. The main Users settings page is displayed. pfSense - CP - Go to Users Tab
  2. Click Add. The Users main settings page is displayed. pfSense - CP - Add User
  3. In the General Configuration section, enter a name for the new user. We’re using 2FAUser in our example. pfSense - CP - Add Username
  4. Scroll down the page to find the One-Time Password Configuration section.
  5. Tick the Enable One-Time Password (OTP) for this user box.
  6. From the OTP Auth Method drop-down menu, select Google Authenticator. We will be using the Google Authenticator app to generate our one-time passwords. Other clients are available for both iOS and Android, but for simplicity’s sake, we’ll be using Google Authenticator in our example. The app does not require you to have a Google account, nor does it require an internet connection. Using the app does not give Google any visibility into your activities or your one-time passwords. But, by all means, feel free to use one of the many alternatives.
  7. Click the Generate OTP Secret button to generate an OTP secret, displayed in the Init-Secret field above.
  8. Click the Show OTP PIN button to be able to see the OTP PIN you enter in the PIN field above. The OTP PIN is considered your user password. And it will be used alongside the OTP to authenticate and log into the pfSense GUI. Your OTP PIN must consist of 4 to 6 numbers. In our example, we’re using 123456, which I don’t recommend using in a real-world scenario.
  9. Click the Generate QR Code button to generate a QR code that we’ll be able to scan with our camera when we configure Google Authenticator in the next step, and click Save at the bottom of the page. pfSense - CP - MOTP Configuration

Configuring Google Authenticator

Once you’ve downloaded Google Authenticator onto your phone, configuring it is simple.

  1. Launch the app.
  2. Click the Add a code button or the + sign at the bottom right of the UI. You’re prompted to scan a QR code with your camera or manually enter the setup key. pfSense - CP - Google Authenticator - Add Code
  3. Select Scan a QR code. Your phone’s camera comes up. Scan the QR code we created in the previous step.               pfSense - CP - Google Authenticator - Scan Code
  4. That’s it. Google Authenticator is now configured and will dynamically generate one-time passwords every 30 seconds. pfSense - CP - Google Authenticator - OTP

Adding FreeRADIUS as a pfSense authentication source

By default, pfSense has a local database it uses for authentication. In order to use 2FA for pfSense GUI access, we need to set our FreeRADIUS server as an authentication source.

  1. From the top menus, select System > User Manager. You’re taken to the Users page of the User Manager settings. pfSense - CP - Go to User Manager
  2. Select the Authentication Servers tab. You’re taken to the Authentication Servers main settings page. pfSense - CP - Go to Authentication Servers
  3. Click Add. The Authentication Servers configuration page is displayed. pfSense - CP - Authentication Servers - Add
  4. Enter a name for your FreeRADIUS authentication server in the Descriptive name field.
  5. From the Type drop-down menu, select RADIUS.
  6. Under RADIUS Server Settings, select PAP from the Protocol drop-down menu.
  7. Enter in the Hostname or IP address field.
  8. Enter the shared secret you created earlier in the Shared Secret field.
  9. Select Authentication from the Services offered drop-down menu.
  10. Select LAN – <your LAN ip address> from the RADIUS NAS IP Attribute drop-down menu.
  11. Click Save. pfSense - CP - Authentication Server Configuration

Testing our basic FreeRADIUS configuration

Now that our basic configuration is complete, let’s test FreeRADIUS to make sure everything is working.

  1. From the top menus, select Diagnostics > Authentication. This brings up the Authentication Test page. pfSense - CP - Go to Authentication Test
  2. Select FreeRADIUS from the Authentication Server drop-down menu.
  3. Enter your FreeRADUIS user’s username in the Username field. This is 2FAUser in our example.
  4. Enter your OTP PIN and your Google Authenticator OTP as the password. I set my PIN to 123456, and Google Authenticator is giving me 942 244 as the OTP, so I would enter 123456942244 in the password field.
  5. Click Test. pfSense - CP - FreeRADIUS Test
  6. If the test was successful, you should see User <your 2FA username> authenticated successfully at the top of the page. pfSense - CP - Test Succeeded

Configuring pfSense to use FreeRADIUS to authenticate users for GUI access

Now that our FreeRADIUS server is configured and working with our Google Authenticator app, we need to tell pfSense to use FreeRADIUS to authenticate users for GUI access.

  1. From the top menus, select System > User Manager. The User Manager main settings page is displayed.           pfSense - CP - Go to User Manager
  2. Select the Settings tab. The Authentication Settings page is displayed. pfSense - CP - Go to User Manager - Settings Tab
  3. From the Authentication Server drop-down menu, select FreeRADIUS and click Save. pfSense - CP - Set Authentication Server to FreeRADIUS
  4. Select the Users tab.The Users main settings page is displayed.
  5. Click Add. The New User Settings page is displayed. The New User Settings page is displayed. We need to make pfSense aware that we want our FreeRADIUS user to have access to the pfSense GUI. pfSense - CP - Add User
  6. Enter your FreeRADIUS user’s username in the Username field.
  7. Enter your FreeRADIUS user’s PIN (configured on the FreeRADIUS Users page) in the Password field –  without the OTP from Google Authenticator.
  8. Click Save. pfSense - CP - Add Username and Password
  9. You’re taken back to the Users main settings page. Click the pencil icon next to our FreeRADIUS user. We’re taken back to that user’s configuration page. pfSense - CP - Edit User
  10. Click the Add button in the Effective Privileges section. The User Privileges page is displayed. pfSense - CP - Add User Privileges
  11. Select WebCfg – All pages from the Assigned privileges box. We’re granting our FreeRADIUS user access to all sections of the pfSense GUI. You can choose to only grant access to certain pages for a more restrictive setup if you like.
  12. Click Save. pfSense - CP - WebConfig Privileges
  13. The User Configuration page is displayed, and we can see our user’s assigned privileges. Click Save again at the bottom of the page. pfSense - CP - Users - Save Again
  14. You’re taken back to the Users main settings page.

Testing our setup for pfSense GUI access

To test our setup, we’re going to log out of pfSense and log back in using our new FreeRADIUS 2FA user.

  1. Click the arrow icon at the top right of the UI to log out of the pfSense GUI. We’re going to test our 2FA setup for authentication and GUI access. pfSense - CP - Logout
  2. Once logged out, enter your 2FA user credentials: your username and your PIN + OTP as the password. Click the SIGN IN button, and you should be back on pfSense’s dashboard page and logged in as your FreeRADIUS 2FA user. pfSense - CP - 2FA Login pfSense - CP - Dashboard

Note that if you have any issues with your one-time password (i.e., don’t have your phone, app is not working, etc., pfSense falls back on the admin user so you won’t be locked out (so don’t delete that user).

Wrap Up

We’ve configured pfSense to use 2FA for GUI access using FreeRADIUS. Access to the heart of your network is now locked down with two-factor authentication. From this point on, to log into pfSense, you’re going to need something you know (your password/PIN) and something you have (your phone for OTP generation).

2FA can be configured in other areas of pfSense, like OpenVPN connections, for example. That’s beyond the scope of the present tutorial, but perhaps we could visit that topic in a future post. Until then, I’d recommend setting up 2FA on all services you use that support it. 2FA goes a long way to securing your accounts.

As always, stay safe (online).