pfSense user authentication lockout policy?

Does pfSense have a user password failure lockout policy? I’m specifically interested in OpenVPN and the local database (not LDAP or Radius) users. I would like to know if repeated failures will either temporarily or permanently lock the account.

This is important for the UK NCSC Cyber Essentials certification. Section A5 requires that externally accessible services, such as VPN, provide measures to stop brute force attacks - password guessing.

If it is the case - I looked hard but could not find it in the pfSense docs. I have posted a similar question in the Netgate community forum. If I get a reply from there I will update this thread.

To my knowledge If you are using the built in pfsense FreeRadius server it doesn’t have a built-in lockouts for user/pass just rate limiting. If your are using an external server such as Microsoft AD then you would set the policy there.

I have found that pfSense the FreeRadius package you refer to does provide lockout on failed logins within it’s Settings page within ‘mobile one-time-password configuration’. It’s something I can look in to.
PS. Thank you @LTS_Tom for you videos (more than one!) on the FreeRadius subject!

A NetGate admin has confirmed on the NetGate community forum that OpenVPN authentication failures will not lock local accounts. So I have now added FreeRadius and set it for 2FA and added a Radius user with 2FA enabled - it works!

Those who follow me should refer to these two YourTube videos by @LTS_Tom

How To Configure FreeRadius on pfsense and static assign IP addresses to VPN users

ToTP Multi Factor Authentication OpenVPN with pfsense and FreeRadiusToTP Multi Factor Authentication OpenVPN with pfsense and FreeRadius - YouTube

1 Like