Work from anywhere isn鈥檛 restricted to employees at small to medium-sized enterprises (SMEs). Many IT teams and managed service providers (MSPs) work in distributed teams, which necessitates securing access to network infrastructure and closely managing user identities. However, these foundational security controls are too often disregarded when internal budgets, or asking a client to spend more for remote access, fail to address the potential security risks.
This article is part of a series of how-tos that demonstrate how to use 探花大神鈥檚 capabilities to achieve better security with minimal costs using a centralized platform that includes everything required to secure access to your network. It has the added bonus of providing single sign-on (SSO) beyond this scenario, delivering identity and access management (IAM) for every service your organization may use, and eliminating managing passwords everywhere.
pfSense is a popular open source firewall and router that provides multiple interfaces for external authentication, even multi-factor authentication (MFA) through RADIUS. The prerequisites to secure access to pfSense using MFA through 探花大神鈥檚 services are:
- 探花大神鈥檚 RADIUS services
- 探花大神鈥檚 MFA services
- An authenticator app that supports Time-based One-time Password (TOTP)
- 探花大神鈥檚 cloud directory groups, with specific settings outlined below
Using MFA and RADIUS for Access Control
Use LDAP if you want to run pfSense in HA mode and CARP聽for IP address redundancy (without NAT).
探花大神 makes it possible for a RADIUS challenge to incorporate TOTP tokens, using the the 探花大神 Protect鈩 multi-factor authentication app. User passwords are amended to include a token every time a user logs into the appliance. Users are managed from within 探花大神鈥檚 directory groups, which are bound with a RADIUS configuration that鈥檚 specific to pfSense. Our directory determines that every group within that group must be enrolled with MFA services to log into any service that 探花大神 connects them to, including pfSense. A user group account within pfSense determines what level of admin rights are assigned.
Setting Up 探花大神 RADIUS, MFA
Every 探花大神 account includes RADIUS services, which are using the following steps.
To configure RADIUS, MFA for a new server:
- Log in to the .
- Go to User Authentication > RADIUS.
- Click ( + ). The new RADIUS server panel appears.
- Configure the RADIUS server:
- Enter a name for the server. This value is arbitrary.
- Enter a public IP address from which your organization’s traffic will originate.
- You must use the external IP for pfSense.
- Provide a shared secret. This value is shared with the device or service endpoint you’re pairing with the RADIUS server.
- Next, add RADIUS to the appropriate response values within the 鈥淩ADIUS Reply Attributes鈥 tab of your user group (or the 鈥済roup鈥 information won鈥檛 populate within pfSense). Your group name may be different than the one below:
- Configure TOTP multi-factor authentication for the RADIUS server:
- 鈥婽oggle the TOTP MFA Enforcement for this RADIUS server option to 鈥淥n鈥 to enable MFA for this server. This option is 鈥淥ff鈥 by default.
- Select 鈥淐hallenge active TOTP users鈥 to require all 探花大神 users with MFA active for their account to provide a TOTP code when they connect to this server.
- Select 鈥淐hallenge all users,鈥 unless they are in active an enrollment period, to require all 探花大神 users that aren鈥檛 in an MFA enrollment period to provide a TOTP code when they connect to this server.
- Select 鈥淐hallenge all users, including during an enrollment period鈥 to require all 探花大神 users, even those in MFA enrollment periods, to provide a TOTP code when they connect to this server.
- To grant access to the RADIUS server, click the User Groups tab, then select the appropriate groups of users you want to connect to the server. Remember that the groups management interface is where the 鈥淩ADIUS Reply Attributes鈥 must go.
This details how to manage users and groups within 探花大神.
Configuring pfSense
You鈥檒l use the information contained in 探花大神鈥檚 RADIUS interface to create a new RADIUS server entry within pfSense, here:
Note that 探花大神 only uses port 1812.
You鈥檒l then enter an arbitrary name for the RADIUS server, one of 探花大神鈥檚 , and paste the shared secret where it鈥檚 indicated. Importantly, ensure that the password authentication protocol (PAP) is selected as the Authentication Method in order to engage the RADIUS challenge. A TOTP token from 探花大神 MFA, which you can add as an account in an authentication app, is the 鈥渞esponse鈥 to the challenge that will validate your users.
You will then proceed to create a user group for your remote admins within pfSense, following these steps:
- It should have the exact 鈥済roup name鈥 as the administrative group you鈥檙e using within 探花大神.
- Determine which access rights are appropriate for each user group. You can learn more about pfSense privileges .
- Select 鈥淩emote鈥 under 鈥淪cope.鈥
You may test connectivity with 探花大神 RADIUS services in the 鈥淎uthentication Servers鈥 tab. The name of your group will flow through from 探花大神 if all settings are input correctly.
Note: This approach will only work when you add a TOTP token, following a comma, to your password. For example, 鈥減assword123鈥 becomes 鈥減assword123,tokenstring鈥. Your logins are now MFA enabled, and pfSense admin users will now be centrally managed from within 探花大神鈥檚 cloud directory.
Recommended Security Steps
PAP transmits passwords in cleartext. Adding MFA to the authentication process increases security, but we strongly recommend the following steps:
- Connect through a VPN using a secure tunnel (SSL or IPSEC).
- Consider isolating this traffic through its own VLAN and segment your network away from end-user traffic.
- Use the strong shared secret that 探花大神 generates for RADIUS and treat it as you would a password.
Try 探花大神
To connect to pfSense securely with 探花大神, sign up for a trial of the 探花大神 platform today.
