massive users import with TOTP access for VPN and exploitation

Started by adminexploit, September 24, 2024, 11:58:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 24, 2024, 11:58:33 AM
Hi,
I've about 850 users to import from Active Directory to opnsense in order to play with openvpn + AD + TOTP authentcation.

Actually, I'm able to import just one single user which works fine. but it there a simple way to import 850 users ( Yeah, I can do it by clicking on cloud) AND generate TOTP token for each of them?

I plan to play with xml config file and restore it with a python script, but it's not very clean, and I've to reboot opnsense to import the new xml config file. Because I didn't find a way to do the job with API....

thanks for your helps.
September 24, 2024, 01:32:22 PM #1
I discoverd that users in /config/config.xml can be modified onlive. So.... I'm always to do it a better way.
September 24, 2024, 03:19:38 PM #2
After you modify that file, do a reboot to make sure it stays.

Can't you set up a radius server to handle this negotiation between AD and the VPN permissions? That's probably my first thought to try. I haven't looked at VPN access in a while, so can't remember if you can just give it access to the AD like you can for permissions on a file share (Truenas).
September 24, 2024, 06:35:46 PM #3
I don't know how radius server can help me to manage user's TOTP token. I discovered a magical option who can make user to manage thier own TOTP token at:

System: Settings: Administration: User OTP seed

I create a specific group and associate     System: User Password Manager privilege to it. I added user to this group but, user can not loggin, even the password is correct:


2024-09-24T18:29:40   Informational   configd.py   action allowed system.event.config_changed for user root   
2024-09-24T18:29:39   Notice   audit   /index.php: User logged out for user 'test' from: 172.21.22.15   
2024-09-24T18:29:39   Notice   audit   /index.php: Successful login for user 'test' from: 172.21.22.15

so, as you can see, I'm loggin, and... logged out immediatly, and root did something I don't know what to kick me out of the group.

When give to myself Password Manager privilege on my own profile page, I can loggin to change my password, which is not good since I'm imported from AD, but I don't have options to change or generate TOTP token......

If users can interacte with thier password managment page, that would be perfect, but it seems to bugging or I missed something.
Print
Go Up Pages1
User actions