pfSense English Support > webGUI

Certificate and password for web GUI for login? Basic instructions...Argggg

(1/4) > >>

V3lcr0:
I read the Hangout video on User management(very cool video!), googled(even Duckduckgo'ed) trying to find out how to set up login to the WebGUI via password AND a certificate only. Even started to dabble with FreeRadius3...

Anybody willing to explain how to do this set-by-step'ish?

I know there are books on Certificates but hoping I could get help with this need...

I want to do this via my LAN(not ssh).

TIA....

johnpoz:
For someone that doesn't understand certs and or vlans... This seems like way quick path to lockout of the webgui for your own access to me.

Why not just limit gui access to your management vlan, who would be on your management vlan and also know your what should be a good password, not just pfsense ;)

I will check out this hangout and post up some step by step pics though if you really want.

edit:  Ok just went through the slides in that hangout - there is no mention of cert auth of users to the gui..  You mean you want to auth your users to your wifi with eap-tls?

Are you wanting to setup 2FA, that you could do with freerad and say google authenticator or authy..  Are you wanting to just setup 802.1x auth for your wired network?  What I think is happening with all of your recent posts is you hear some buzz word and want to do that but not really understanding how these buzz words function??

Pretty sure that smart dlink switch (DGS1100) you have doesn't support 802.1x

When you state cert auth to a webserver - what comes to mind would be https://en.wikipedia.org/wiki/Mutual_authentication this is where the client has a cert and auths to the web server with that cert.. If you could maybe lay out the scenario your wanting to setup be happy to help.

V3lcr0:
Would not be the first time I was locked out!!! :o

Thanks John...really appreciate the help. Here is my understanding and what I am trying to accomplish(correct I do have a Dlink 1100 and Unifi AP...not sure this will handle what I am trying to accomplish):

My GUI access is setup to be accessed on my wired Native VLAN only(connected thru my DLink1100)I have disabled my antilockout rule and created a rule just for web GUI, I have my web GUI limited to my newly created management vlan(aka Native, aka untagged VLAN, aka LAN IP)...big thanks to NogBadTheBad! What I wanted to do was set up a certificate to further secure this access. I was originally thinking as you stated where a "client has a cert and auths to the web server with that cert.." as the solution but a 2 step using google authenticator would be better as the authenticator would be on a seperate device and likely easier to manage. I think Radius can handle this now with webGUI? If not a certificate would be my goal for additional web GUI authentication.

I managed to setup 2FA(Google authenticator) with a test user on pfSense/FreeRadius3 following this tutorial(https://blog.vonhewitt.com/2017/08/pfsense-openvpn-setup-with-freeradius3p2/), the only difference was I had to change the protocol setting to PAP(vs MS-CHAPv4??) in system->User Manager->Authentication Servers->Edit in order for it to work(When I say work, I got a confirmation when I tested the user in Diagnostics->Authentication), I have not implemented this to WebGUI access yet...other considerations? Will this work?

Awesome Hangout video this month and the February 2015 that discuss "User Management and Priveledges"...just looking to implement the best practices. Gold membership was the best $99 I spent on security...thanks pfSense!

However I think my plunge into certificate management is inevitable for the following additional things I am trying to accomplish(probably a seperate post):


1) Nice little green lock when I log into my pfSense GUI. I followed this tutorial(https://www.ceos3c.com/2017/03/24/pfsense-generate-ssl-certificate-https-pfsense/) about creating a self signed CA...worked well in that I was able to see my CA in the lock but unfortunately could not fully get the "Nice little green lock". I belive my issue has more to do with loading the CA in my OS(step 6) then a pfSense question. I can see my cert but not quite sure how to verify the SHA-256 and SHA1 fingerprint. From what I have read the "Nice little green lock" is not needed to have encryption but it would be nice to verify the Fingerprints. I can see the key on my browser cert but just need to verify the fingerprint numbers in the pfSense CAs.

2) 2FA or cert authorisation on my VLANs ssid being broadcast on my UnifiAP...agin not sure my Dlink switch can handle this.

Thank you again for any help!

johnpoz:
I have posted multiple times on how to get the pretty green lock.. Is as simple has having your browser trusting your CA.. It really is click click... let me dig up a few of those past posts.  I also have my sg300 switches using these certs my unifi controller, and actually the web interfaces to openvpn as running on some vps out on the net, etc.

Sure make sure you setup the freerad to listen on localhost, setup auth server for localhost..

I use eap-tls on my wifi.. I am pretty sure have posted how to do this before multiple times..  If not or its dated I can do that again for sure..

Here is link about the switches and the webgui for unifi
https://forum.pfsense.org/index.php?topic=141496.0

Here one of the many links going over the webgui cert
https://forum.pfsense.org/index.php?topic=118807.0

I have a bunch of pictures in that one going over exactly doing it.

Why would you need to verify the fingerprint of cert you just download from your pfsense webgui on your own local network??  Really??  Overthinking this a bit much ;)

I am curious who exactly is on your network that your using for your management vlan that would be able to access your pfsense webgui??  I am all for extra security when warranted...  But your talking a secure private network - where the only person that should have access to the webgui would be you and your devices on your home network.. 2FA in this case is over the top pointless... And pretty much only thing it will most likely accomplish is you locking yourself out.

V3lcr0:
Thanks John...this is definitely good stuff! I am using Firefox Quantum and can't seem to get the "Nice little green lock" to come on but I am OK just using my own cert. in the short term and watch for changes in cert. requests when I login. I am still encrypted from what I have read. It seems pretty straight forward and while your instructions are geared around Chrome(and excellant...you are awesome!) it seems easiy translatable to Firefox but I can't get it to work. I am not sure this actually gives me any better protection anyway, besides the "Nice little green lock". I think this is new and unique to Firefox Quantum: https://support.mozilla.org/en-US/questions/1175296. From what I gather it requires an additional cert in the OS. The solution with Firefox seems like you get the "Nice little green lock" but loose the additional Firefox security.

I will definitely start implementing additional encryption and authorization on my switch(if it can handle it), AP and wireless. This is great thank you again.

My biggest concern still lies with additional access to the web GUI(Front door), I dug into FreeRadius more and I don't think 2FA is possible yet with Google Authenticator for the webGUI(I think?).

Protecting my Native VLAN seems key to protecting my whole network...I have lived thru fake certs and a compromised network and it is bad!!!! Spoofed emails, money stolen, identity theft...

I am OK with that fine line of being locked out...I have my back-ups. What I am trying to accomplish is security above a password for my GUI, I think your link is what I am looking for(https://en.wikipedia.org/wiki/Mutual_authentication). I would keep this "key" or "cert" in my dedicated admin browser/computer and with this key I would be authenticated into my pfSense box(anything else would be denied).

Thanks again...my tinfoil hat is tight!!!

Navigation

[0] Message Index

[#] Next page

Go to full version