Overview

This document explains how to enable OpenOTP authentication on pfSense through Radius Bridge. For this recipe, you will need to have WebADM, OpenOTP and Radius Bridge installed and configured.

Register your pfSense in RadiusBridge

On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your pfSense VPN server:

client <pfSense Server IP> {
	secret = testing123
	shortname = pfSense
   }

Configuring New Radius Server on pfSense

Here, we will configure a new RADIUS Server through the pfSense GUI.
Go on the System tab and click on User Manager.

pfsense

In the Authentication Server tab, click on Add:

pfsense

Configure your WebADM server as a RADIUS server. Shared secret is previously defined in /opt/radiusd/conf/clients.conf.

pfsense

Click on Save when the configuration is done.

Configuring OpenOTP Authentication for OpenVPN Server on pfSense

In this how-to, we will not explain how to configure the OpenVPN server. Please refer to OpenVPN or pfSense documentation for this part.

pfsense

Now on your OpenVPN configuration, click on Servers tab and edit your OpenVPN server.

pfsense

For the Server mode setting, select Remote Access (User Auth) and for the backend authentication option, choose your RADIUS Server previously created, in my case 'WebADM'.

pfsense

It's done for the authentication part.

Configuring OpenOTP Authentication for IPsec

Same procedure as above, you have to select WebADM in the Extended Authentication (Xauth) if you use L2TP and IPsec:

pfsense

Configuring WebADM/OpenOTP Client Policy

OpenVPN doesn't manage the RADIUS challenge authentication. So, we will create a client policy to be able to log in on the OpenVPN server with OpenOTP and the concatenated mode (LDAP password+OTP in the same password field.)

Login on the WebADM GUI, click on Admin tab and click on Client Policies button.

pfsense

Click now on Add Client.

pfsense

Name your client policy as you prefer, click on Proceed button and on Create Object button.

pfsense

Now you are on the client policy configuration page. Edit the setting Client Name Aliases with the name of your pfsense server. In this case: pfsense.rcdevsdocs.com

This setting is very important, it will do the matching between the pfsense server and the client policy.

pfsense

After that, you can scroll down and check the box Forced Application Policies and click on Edit button.

In the Applications box on the top left, select MFA Authentication Server and now you are able to configure the desired OpenOTP settings for pfSense. Here, one setting interest us which is the Challenge Mode Supported. You have to set the setting to No because OpenVPN doesn't manage the RADIUS Challenge.
Of course, my default configuration of OpenOTP is set for LDAPOTP login mode.

pfsense

Click Apply twice, to save the policy configuration.

Now you can test the authentication.

Authentication Test

Before testing, you should have an activated User in WebADM/OpenOTP and a Token enrolled on your user account.

You can test an authentication through your VPN client or through the Authentication Diagnostic tool available on the pfSense GUI.

I will test through the diagnostic tool, so I select my WebADM server as Authentication server.

pfsense

In the password field, I put my LDAP password and my OTP.

e.g : password123456

Where 'password' is my LDAP password and '123456' is my OTP.

pfsense

And I'm successfully logged.

WebADM Logs

We can show in the WebADM logs that the Client policy previously created is called, the challenge mode is disabled and the authentication is a success with an OTP.

[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] New openotpSimpleLogin SOAP request
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] > Username: administrator
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] > Password: xxxxxxxxxxxxxx
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] > Client ID: pfSense
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] > Options: RADIUS,-U2F
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Enforcing client policy: pfSense (matched client ID)
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Registered openotpSimpleLogin request
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Resolved LDAP user: CN=Administrator,CN=Users,DC=rcdevsdocs,DC=com
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Started transaction lock for user
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Found user language: EN
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Found 1 user mobiles: +33xxxxxxxxx
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Found 1 user emails: administrator@rcdevsdocs.com
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Found 3 user certificates
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Found 37 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=No,ChallengeTimeout=90,PushLogin=Yes,EnableLogin=Yes,AppKeyLength=10,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Found 9 user data: LoginCount,RejectCount,LastOTP,TokenType,TokenKey,TokenState,Device1Name,Device1Data,Device1State
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Last OTP present (valid until 2017-10-25 14:54:30)
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Challenge mode disabled (assuming concatenated passwords)
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Found 1 registered OTP token (TOTP)
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Requested login factors: LDAP & OTP
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] LDAP password Ok
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] TOTP password Ok (token #1)
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Updated user data
[2017-10-25 14:52:20] [127.0.0.1] [OpenOTP:8VE13372] Sent success response