RCDEV With PFSENSE

[Bilal AlAli]

I really need help with the below:

I already confisgured RCDEV with LDAP Active Directory and working fine. I already configured PFSense with LDAP active Directory and working fine with open vpn. how to link both so when I use openVPN it should be with 2fa?

[francois...@rcdevs.com]

Hi Bilal,

You can use radius protocol for vpn authentication.

More info here:

https://www.rcdevs.com/docs/howtos/radius_bridge/rb_manual/

[Bilal AlAli]

So Many Thanks, now I start it all over because i got confused :)

the Help I need is with understanding how to put all together.  am able to start the appliance and make the LDAP with my active directory and create user OTP with no problems. how to make this work with my firewall, PFSENSE. who is my real radius server ! is it the Pfsense or my Active directory ? and how to make the scenario work

am using the open VPN which comes as a package with the PFsense 2.4. so my vpn server is the same IP of my firewall.

really appreciate some summary to let me put all together. 

[francois...@rcdevs.com]

Hi Bilal,

In this case, the radius server will be webadm with radius bridge.  You need to configure PFSense as a radius client.

[Bilal AlAli]

Hi, So How to make the OPT radius SERVER, I already have the RCDEV installation, and configured with active directory through LDAP, I already made token to the user in side my active directory and it work through the windows agent. what I need is the how to make the same using open vpn through the PFSENSE.

--
You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technical+unsubscribe@googlegroups.com.
To post to this group, send email to rcdevs-technical@googlegroups.com.
Visit this group at https://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

[francois...@rcdevs.com]

Great news, we have a new documentation for Pfsense:

https://www.rcdevs.com/docs/howtos/pfsense/pfsense/

On Thursday, October 26, 2017 at 1:59:32 PM UTC+2, Bilal AlAli wrote:

Hi, So How to make the OPT radius SERVER, I already have the RCDEV installation, and configured with active directory through LDAP, I already made token to the user in side my active directory and it work through the windows agent. what I need is the how to make the same using open vpn through the PFSENSE.

On Mon, Oct 23, 2017 at 10:02 AM, <francois...@rcdevs.com> wrote:

Hi Bilal,

In this case, the radius server will be webadm with radius bridge.  You need to configure PFSense as a radius client.

On Saturday, October 21, 2017 at 8:53:38 PM UTC+2, Bilal AlAli wrote:

So Many Thanks, now I start it all over because i got confused :)

the Help I need is with understanding how to put all together.  am able to start the appliance and make the LDAP with my active directory and create user OTP with no problems. how to make this work with my firewall, PFSENSE. who is my real radius server ! is it the Pfsense or my Active directory ? and how to make the scenario work

am using the open VPN which comes as a package with the PFsense 2.4. so my vpn server is the same IP of my firewall.

really appreciate some summary to let me put all together. 

On Tuesday, October 17, 2017 at 9:54:02 AM UTC+3, francois...@rcdevs.com wrote:

Hi Bilal,

You can use radius protocol for vpn authentication.

More info here:

https://www.rcdevs.com/docs/howtos/radius_bridge/rb_manual/

On Tuesday, October 17, 2017 at 8:23:26 AM UTC+2, Bilal AlAli wrote:

I really need help with the below:

I already confisgured RCDEV with LDAP Active Directory and working fine. I already configured PFSense with LDAP active Directory and working fine with open vpn. how to link both so when I use openVPN it should be with 2fa?

--
You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.

[Bilal AlAli]

Hi;

I made successful radtest with token oassword but i can't authonticate please see below:

Sent Access-Request Id 53 from 0.0.0.0:45980 to 192.168.0.100:1812 length 83

        User-Name = "administrator"

        User-Password = "990647"

        NAS-IP-Address = 192.168.0.250

        NAS-Port = 0

        Message-Authenticator = 0x00

        Cleartext-Password = "990647"

Received Access-Accept Id 53 from 192.168.0.100:1812 to 0.0.0.0:0 length 44

        Reply-Message = "Authentication success"

[2017-10-28 04:16:52] [192.168.0.100] [OpenOTP:E9MC09W8] New openotpSimpleLogin SOAP request

[2017-10-28 04:16:52] [192.168.0.100] [OpenOTP:E9MC09W8] > Username: administrator

[2017-10-28 04:16:52] [192.168.0.100] [OpenOTP:E9MC09W8] > Password: xxxxxx

[2017-10-28 04:16:52] [192.168.0.100] [OpenOTP:E9MC09W8] > Options: RADIUS,-U2F

[2017-10-28 04:16:52] [192.168.0.100] [OpenOTP:E9MC09W8] Registered openotpSimpleLogin request

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Ignoring member 'CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=MushExch,DC=local' for group 'CN=Administrator,CN=Users,DC=MushExch,DC=local' (out of domain group search base)

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Ignoring member 'CN=Administrators,CN=Builtin,DC=MushExch,DC=local' for group 'CN=Administrator,CN=Users,DC=MushExch,DC=local' (out of domain group search base)

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Resolved LDAP user: CN=Administrator,CN=Users,DC=MushExch,DC=local

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Resolved LDAP groups: group policy creator owners,domain admins,enterprise admins,schema admins,denied rodc password replication group

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Started transaction lock for user

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Found user language: EN

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Found 2 user mobiles: 

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Found 1 user emails: Admini...@mydomain.com

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Found 37 user settings: LoginMode=OTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=No,ChallengeTimeout=60,ChallengeLock=No,EnableLogin=Yes,AppKeyLength=20,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Found 5 user data: LoginCount,RejectCount,TokenType,TokenKey,TokenState

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Found 1 registered OTP token (TOTP)

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Requested login factors: OTP

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] TOTP password Ok (token #1)

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Updated user data

[2017-10-28 04:16:53] [192.168.0.100] [OpenOTP:E9MC09W8] Sent success response

what is missing !! i need to connect to open vpn using only use name and OTP password as above the test passed in the ldaptest ?!

[francois...@rcdevs.com]

It's ok at openotp level and radius level, so the problem should be at pfsense level

[Yoann Traut (RCDevs)]

Hello, 

Could you show us the OpenVPN logs through the pfSense GUI ? 

Regards

[Bilal AlAli]

Hi, i solved that issue, the final issue i have is steps to apply senario 2 in push server. i already registered a trail user.