mirror of https://github.com/opnsense/docs
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
111 lines
4.1 KiB
ReStructuredText
111 lines
4.1 KiB
ReStructuredText
7 years ago
|
=========================================
|
||
|
Configure 2FA TOTP & Google Authenticator
|
||
|
=========================================
|
||
|
This how-to will show you how to setup a One-time Password 2 Factor Authentication
|
||
|
using OPNsense and Google's Authenticator. All services of OPNsense can be used
|
||
|
with this 2FA solution, with the exception of console/ssh access.
|
||
|
|
||
|
.. image:: /manual/images/two_factor_authentication.png
|
||
|
:scale: 100%
|
||
|
|
||
|
.. Note::
|
||
|
|
||
|
To use the same feature with any time based one-time password token just enter
|
||
|
the seed into the field in step 3 instead of creating a new seed. The seed needs
|
||
|
to be in base32 format.
|
||
|
|
||
|
--------------------------------------
|
||
|
Step 1 - Add New Authentication Server
|
||
|
--------------------------------------
|
||
|
To add a TOTP server go to **System->Access-Servers** and press **Add server** in
|
||
|
the top right corner. Then fill in the form as follows:
|
||
|
|
||
|
====================== =================================== ========================================
|
||
|
**Descriptive name** TOTP Server *Choose a server name*
|
||
|
**Type** Local+Timebased One Time Password *Select the TOTP server Type*
|
||
|
**Token length** 6 *6 for Google Authenticator*
|
||
|
**Time window** *Leave Empty for Google Authenticator*
|
||
|
**Grace period** *Leave Empty for Google Authenticator*
|
||
|
====================== =================================== ========================================
|
||
|
|
||
|
-------------------------------------
|
||
|
Step 2 - Install Google Authenticator
|
||
|
-------------------------------------
|
||
|
Go to the App Store of your platform and search for Google Authenticator.
|
||
|
Install using the normal procedure for your device.
|
||
|
|
||
|
---------------------------
|
||
|
Step 3 - Add or modify user
|
||
|
---------------------------
|
||
|
For this example we will create a new user, go to **System->Access-Users** and click
|
||
|
on the plus sign in the lower right corner.
|
||
|
|
||
|
Enter a **Username** and **Password** and fill in the other fields just as you would
|
||
|
do for any other user. Then select the **Generate new (160bit) secret** under **OTP seed**.
|
||
|
|
||
|
When done press **Save**.
|
||
|
|
||
|
-------------------------------------------------
|
||
|
Step 4 - Activate Authenticator for this OTP seed
|
||
|
-------------------------------------------------
|
||
|
To activate your new OTP seed on the Google Authenticator, first reopen the user
|
||
|
you just created by clicking on the pencil icon.
|
||
|
|
||
|
.. image:: images/OTP_seed.png
|
||
|
:scale: 100%
|
||
|
|
||
|
Now it will show a QR code:
|
||
|
|
||
|
.. image:: images/otp_qr_code.png
|
||
|
:scale: 100%
|
||
|
|
||
|
.. Warning::
|
||
|
|
||
|
Be very careful with the seed or QR code as this is the only thing you need
|
||
|
to calculate the token. **KEEP YOUR SEED/QR CODE SAFE !**
|
||
|
|
||
|
|
||
|
Now open your Google Authenticator application and select the option to start the
|
||
|
configuration and then scan the QR code or alternatively enter the seed directly.
|
||
|
|
||
|
.. image:: images/iphone_qr_scan.png
|
||
|
:scale: 100%
|
||
|
|
||
|
-----------------------
|
||
|
Step 5 - Test the token
|
||
|
-----------------------
|
||
|
For testing the user authentication, OPNsense offers a simple tester.
|
||
|
Go to **System->Access->Tester**
|
||
|
|
||
|
Select the Authentication server you have configured, and enter the user name.
|
||
|
Then enter the ***token** + **password**, remember the order
|
||
|
is token and then password **in the same field**.
|
||
|
|
||
|
.. Note::
|
||
|
Password field should be used to enter both token and your password, like:
|
||
|
**Password:** 123456PASSWORD
|
||
|
|
||
|
|
||
|
Hit the test button and if all goes well you should see *successfully authenticated*.
|
||
|
|
||
|
.. image:: images/system_access_tester.png
|
||
|
:scale: 100%
|
||
|
|
||
|
------------------------
|
||
|
Step 6 - Using the token
|
||
|
------------------------
|
||
|
To use the token in any application/service that you have configured, just open
|
||
|
the Google Authenticator and add the created token/key **before** your regular password.
|
||
|
|
||
|
.. Warning::
|
||
|
Remember, you need to enter the token **before** you password!
|
||
|
And the password field should be used to enter both token and your password,
|
||
|
like: **Password:** 123456PASSWORD
|
||
|
|
||
|
|
||
|
The code will change every 30 seconds.
|
||
|
Sample code:
|
||
|
|
||
|
.. image:: images/google_token_sample.png
|
||
|
:scale: 25%
|