> Date: Tue, 4 Aug 2015 16:32:22 -0500
> From: amar...@xes-inc.com
> To: list@lists.pfsense.org
> Subject: Re: [pfSense] Smartcard Integration with pfSense
>
> ----- Original Message -----
> > From: "Teleric Team" <teleric-li...@outlook.com>
> > To: "pfSense Support and Discussion Mailing List" <list@lists.pfsense.org>
> > Sent: Monday, August 3, 2015 3:51:29 PM
> > Subject: Re: [pfSense] Smartcard Integration with pfSense
> >
> >
> >
> > > Date: Mon, 3 Aug 2015 10:41:05 -0500
> > > From: amar...@xes-inc.com
> > > To: list@lists.pfsense.org
> > > Subject: [pfSense] Smartcard Integration with pfSense
> > >
> > > Hello,
> > >
> > > I am working on setting up a new OpenVPN server on pfSense and ideally
> > > would
> > > like to use a smartcard or USB token for protecting the keys on the
> > > client.
> > > Are
> > > there any smartcards that have been known to work with pfSense, or other
> > > recommendations?
> > >
> > > Thanks,
> > >
> > > Andrew Martin
> >
> > If you are using Local User Authentication on OpenVPN/pfSense it's just a
> > matter of installing OATH or Google Authenticator and setting up /etc/pam.d
> > to require OTP.
> > There's also a specific OTP plugin for OpenVPN:
> > https://github.com/evgeny-gridasov/openvpn-otp
> > I never tried to have it running on pfSense but should not be different than
> > running on FreeBSD which is not hard following general directions.
> > _______________________________________________
>
> Thanks for the clarification regarding the OTP plugin for OpenVPN. I am using
> AD authentication instead of local authentication for OpenVPN clients. In this
> case, would I still be able to use the OpenVPN-OTP plugin, and just pass
> authentication off to the AD server?
>
In first place I'm sorry for that many duplicated messages. I swear I only
pushed send once ;-)
Yes and no, without local auth you won't be able to used PAM based OTP but yes
you still can use OpenVPN-OTP plugin, but I don't think you can rely on AD
credentials for auth any longer. You will have a separated secret file for your
OpenVPN users, unrelated to AD credentials. In this secret file you will have
both reusable password (first authentication factor) and the OTP secret which
will provide the second authentication factor.
I have however investigated in the past on how to rely on an external auth
mechanism for the reusable passwords, I remember around line 275 of otp.c for
the plugin source code I wrapped to Radius so I could still use the previous
passwords stored on Radius. If you *really need* to have the reusable password
still the AD one, probably you will need to hack around the same lines on otp.c
and wrap to a NTLM, LDAP or Kerberos to check the password.
Not no, by default and without some hack you will only be able to have the
reusable password in the external secret file for the plugin. It also changes
some "concept", the reusable password now becomes called the "PIN" while the
generated OTP password is the token. If the pin is 123456 and the OTP generated
6 digit password is 981024 OpenVPN credentials will be username + 123456981024
ass the password. (PIN+OTP), meaning there's no separated prompt for first and
the second auth factor like most people may get used to on commercial VPN
clients or Google/Dropbox/Etc 2-FA for example.
In the end if you can rely on having the pin unrelated to AD password, it just
works fine and without much effort :-)
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
