OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: pvsa on May 11, 2017, 12:40:07 pm
-
Hi,
i have installed a 17.1.4 OPNSense (cdrom) VM (on XenServer) - and updated to 17.1.6 - as Proxy and it's working well.
Then i setup a OTP/2FA for a testuser (for VPN purpose) as printed out in the docs (https://docs.opnsense.org/manual/how-tos/two_factor.html) with Google 2FA and tested it with the "Tester" under System -> Access.
But i always says "Auth.. failed" - and yes i put the OTP BEFOR the password. When i use the local DB with the Tester it works. I even try to use FreeOTP - guessing that one need a google account to use this - with the same result.
I can't find any infos in the Logs and no posts that could help.
Perhaps one of you can help me.
Thanks in advance
Philipp
-
Hi,
as you know, 2nd is really depending on synced time values and it stopped working on drifting time values really soon. I have OPNsense setup with a NTP Server and make the time avaiable for all devices holding Google Authenticator, so OPNsense and all Google Authenticator are based at the same time source.
Google Authenticator has a rsync functionality under menu -> setup -> time correction -> sync now (sorry, I translated this from german, so it might differ in english).
I also found it quite frustrating to type random characters into the Google Authenticator so you might check a QR code Generator.
King regards,
Kay-Uwe Genz
-
Hi Kay-Uwe and Philipp,
I agree that time needs to be in sync for this to work. The tester can't give any more hints, it would only leak attack information otherwise, and it's 99.9% right about password wrong or right from experience. :)
We do have a QR-Code generator. You can click the help/info icon for the OTP seed field.
http://imgur.com/a/ELu1S
Also one doesn't have to use Google, there are many TOTP apps available. I use "Authenticator" on iOS.
Cheers,
Franco
-
Hi Franco,
learned something again :D ... I haven't checked, that the OTP Code is in the help and you have to click the orange "i" ... the documentation is mentioning external QR generator. (https://docs.opnsense.org/manual/how-tos/two_factor.html) :-X
So can we move to QR code outside of the help or if you wouldn't show it right away, can we put a little QR icon next to the string that shows the QR on a pop-up? It's really good covered at the moment.
And of course you can go on with other OTP apps. I was mention it only, because Philipp asked for.
King regards,
Kay-Uwe
-
Hi Uwe,
learned something again :D ... I haven't checked, that the OTP Code is in the help and you have to click the orange "i" ... the documentation is mentioning external QR generator. (https://docs.opnsense.org/manual/how-tos/two_factor.html) :-X
I replaced it a some time ago for security reasons (key should not be leaked to an external system - even if it is not stored now - we don't know how the code changes). The QR code is rendered where the link was at this time. Now it is safer than at that time and it looks better integrated (a user does not even have to leave the GUI).
-
I agree, so I've added a ticket here: https://github.com/opnsense/core/issues/1639
I merely mentioned that non-Google solutions exist, as people had concerns about this in the past. People can use this standard RFC protocol in any way they like, the documentation just hasn't caught up with it yet.
I would mention it here so that others visiting via Google ;) or the forum search have quick access to this info.
Cheers,
Franco
-
Hi,
Thanks a lot for your answers- The funny thing is that, after i checked the time- which seems ok, i tried another app (thanks for the tip franco) and this solves the Problem. Dont know if google auth app has changed something since You wrote the docs.
Trank You again for your quick help :-)