2FA: Using LDAP and google authenticator

[moikonom]

Hello all,

First and foremost, kudos to your work on opensense. I installed and was able to perform 2FA in about 10 minutes. I have successfully deployed in the past, a remote access vpn infrastructure based on pfsense, LinOTP and LDAP, so as users were able to vpn to my server and be verified by using both their account on the LDAP and the OTP provided from Google Authenticator.

The overall process was a bit painful (in administrative costs) and was more than happy to see that opensense is able to do about the same thing in less than 10 minutes

My question is, is there a roadmap in providing LDAP+google authenticator 2FA in the near future?

Regards,

Michalis

[AdSchellevis]

Hi Michalis,

There are no concrete plans yet to add otp+ldap, although it should be quite easy to build such an extension upon the parts we already have.
Only restriction would be that the users must be imported into the local database to add the otp seeds, just like our ldap implementation needs the local import to assign rights when using ldap for the gui login.

You could add a feature request on GitHub https://github.com/opnsense/core/issues, I can't promise when it will make a release, but we may put it on the roadmap for 17.1.

Best regards,

Ad

[moikonom]

Hello Ad,

Thanks for your reply. I'll make a feature request on GitHub as you pointed out.
Keep up the good work. Thanks for your time.

Regards,

Michalis

[drakesdrum]

This would be a fantastic feature to add as there is no other easy solution.

You could use linotp with pfsense but this is a complex set up and involves another vm or box to configure.

Or you could use rcdevs with pfsense product, which again would be another box to configure and has a cost associated with it.

My search for Narvana would end with opnsense+LDAP authentication via Active Directory+OpenVPN+Google Authenticator

opnsense almost does this.........one more step would be a winner.

I don't see this feature being added to the roadmap for January 2017 unfortuanely.

[franco]

Hi there,

Yes, it's not on the roadmap, but last time I checked Ad already started a bit of work in this direction.

We have more authentication improvements coming with native PAM module to e.g. plug SSH and console login into OPNsense and therefore all supported OPNsense methods (making 2FA work with these low-level types). I think this will be used to remove Xauth capabilities from IPsec as well in order to be able to do a patch-free StrongSwan authentication.

Furthermore, there is a fully pluggable authentication framework in opnsense-devel (what is going to be 17.1) so that new methods can be written without the firmware updates getting in the way.

And one contributor is working on Single-Sign-On for the proxy, which required some larger changes that have been phased into the system since 16.7.x.

17.1 will be all about authentication, and I don't see why LDAP+2FA can't be part of it as well. But let me double-check to be sure...


Cheers,
Franco

PS: For most of these changes, we do not have to wait for January 2017 when people help test these features on opnsense-devel we can backport them to 16.7.x sooner.

[alesnav]

Hi there,

Yes, it's not on the roadmap, but last time I checked Ad already started a bit of work in this direction.

We have more authentication improvements coming with native PAM module to e.g. plug SSH and console login into OPNsense and therefore all supported OPNsense methods (making 2FA work with these low-level types). I think this will be used to remove Xauth capabilities from IPsec as well in order to be able to do a patch-free StrongSwan authentication.

Furthermore, there is a fully pluggable authentication framework in opnsense-devel (what is going to be 17.1) so that new methods can be written without the firmware updates getting in the way.

And one contributor is working on Single-Sign-On for the proxy, which required some larger changes that have been phased into the system since 16.7.x.

17.1 will be all about authentication, and I don't see why LDAP+2FA can't be part of it as well. But let me double-check to be sure...


Cheers,
Franco

PS: For most of these changes, we do not have to wait for January 2017 when people help test these features on opnsense-devel we can backport them to 16.7.x sooner.

Hello Franco,

I think that this enhancement is not yet developed, is it? If not, is this finally included in any roadmap?

Thanks,
Best regards