MFA admin access to Untangle

So I've seen this in more and more questionnaires by cyberinsurance/risk management...."MFA required for all external AND internal access to firewalls/routers".

I realize externally, I can sorta/almost fudge this with Command Center, and simply no https access from the WAN side.
But internally...I'm not aware of any method to BLOCK/STOP web management of Untangle internally...without side effects of losing the "block" pages.

I have one client that I've had on a paid NG Complete plan for over 10 years, he's in insurance himself, needs to check the boxes by January. Wondering if any solutions were found by users here, or...if there is hope on the roadmap. Or..if I have to start replacing quite a few Untangle appliances with another product at clients who are having these requirements come up.

Config -> Administration -> Restrict Administration Subnet(s).

Feed it 127.0.0.1, and poof... no more local admin unless you're physically on the box. Command Center still worked when I tested this...

But yeah, TOTP on the actual admin login should have been a thing two years ago, I've been asking... heck it was even promised! Instead what we got was TOTP for OpenVPN! Which while handy, when the admin login isn't also TOTP protected is utterly worthless.

Yup and for this reason I'll be cancelling my subscription this year.

Quote:

---

Originally Posted by sky-knight

Config -> Administration -> Restrict Administration Subnet(s).

Feed it 127.0.0.1, and poof... not more local admin unless you're physically on the box. Command Center still worked when I tested this...

---

Hmmm....Thanks Rob,
So disable WAN http/s, and do your trick to effectively disable LAN http, this does leave just command center access, which...sorta/kinda/almost has a weak version of MFA. One could fudge a check in that box for the compliance questionnaire and not loose too much sleep over a little fib.

One needs faith that Command Center will always work. And of course you do have local...from the appliance access like you said, plugging the old HDMI monitor and keyboard in. This solution I guess is as sufficient as we can get. Wish we had true MFA on LAN access and even WAN, ...we can dream.

Re: MFA on OpenVPN...yeah, just when we get excited about WireGuard VPN, and replace that on all our clients and enjoy that wonderful VPN experience, no MFA on that, so our clients that need MFA on remote access, we have to go backwards and redeploy old school PPTP VPN...I mean....OpenVPN. Blech.

Quote:

---

Originally Posted by YeOldeStonecat

Hmmm....Thanks Rob,
So disable WAN http/s, and do your trick to effectively disable LAN http, this does leave just command center access, which...sorta/kinda/almost has a weak version of MFA. One could fudge a check in that box for the compliance questionnaire and not loose too much sleep over a little fib.

One needs faith that Command Center will always work. And of course you do have local...from the appliance access like you said, plugging the old HDMI monitor and keyboard in. This solution I guess is as sufficient as we can get. Wish we had true MFA on LAN access and even WAN, ...we can dream.

Re: MFA on OpenVPN...yeah, just when we get excited about WireGuard VPN, and replace that on all our clients and enjoy that wonderful VPN experience, no MFA on that, so our clients that need MFA on remote access, we have to go backwards and redeploy old school PPTP VPN...I mean....OpenVPN. Blech.

---

If you enable MS SSO you get full MFA on the Untangle.com account. I have yet to succeed at such without locking myself out though. I do have TOTP on my Untangle.com account, and I require the local password to get into each device. That's a bit more than 2FA, so yeah I don't bat an eyelash at ticking that box in that circumstance.

Still, TOTP on the local admin UI solves ALL OF THIS without any thought, effort, or planning.

I know you're a huge Unifi guy... their controller doesn't do local TOTP either. It's infuriating.

Quote:

---

Originally Posted by sky-knight

I know you're a huge Unifi guy... their controller doesn't do local TOTP either. It's infuriating.

---

But their cloud account does, we have most of our sites at Hostifi which ties back to the UI account, which we have MFA'd...and keep our TOTP in HUDU. For the remaining few Cloud Keys and very few UDMs we have, we use use the cloud account to log into those...so that's still MFA'd via that.

Quote:

---

Originally Posted by YeOldeStonecat

But their cloud account does, we have most of our sites at Hostifi which ties back to the UI account, which we have MFA'd...and keep our TOTP in HUDU. For the remaining few Cloud Keys and very few UDMs we have, we use use the cloud account to log into those...so that's still MFA'd via that.

---

Unless the Internet is down, then they revert. Something that has been exploited in the past.

There's no substitution for local MFA on all this stuff, there's a reason the insurance companies are screaming for it. And it's going to be years before everything gets fixed.

Once again Untangle screws the pooch, a simple thing to put it out in front of the competition. Instead I expect we'll get TOTP on the local admin UI in 2023 or so... given their track record.

(I'd LOVE to eat my hat on this one guys)