OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: woo on August 03, 2016, 02:25:37 pm

Title: 2FA token not working for OpenVPN dialin
Post by: woo on August 03, 2016, 02:25:37 pm

Hi,
I just did my first OpenVPN test runs on 16.7 (after having worked around my earlier reported issue with the client export), and I noticed that VPN dialin does not seem to use 2FA tokens even though I have configured one for the users. I can just connect with username and password. When I try to append the 2FA token string after or before the password, as is customary for that method, the authentication fails.
Is this not supposed to work like that, or is there something broken? If it's the latter, how could I go about finding and fixing the cause?

Regards
~woo

Title: Re: 2FA token not working for OpenVPN dialin
Post by: woo on August 03, 2016, 02:29:05 pm

nevermind.. I had the wrong authentication backend in my OpenVPN server config.. apparently forgot to save the changes.

Title: Re: 2FA token not working for OpenVPN dialin
Post by: woo on August 03, 2016, 02:34:25 pm

Just an opinion to the 2FA concept:
Having the token number before the password puts the user into a certain time constraint, having to enter more or less complex passwords within the 30 seconds refresh time. That's why many (most?) other 2FA concepts either have a separate field for the token (won't be possible with the current OpenVPN client), or ask for the token after the password.
Perhaps use this an an improvement suggestion for future releases...