Results 1 to 7 of 7
  1. #1
    Untangle Ninja YeOldeStonecat's Avatar
    Join Date
    Aug 2007
    Posts
    1,558

    Default MFA admin access to Untangle

    So I've seen this in more and more questionnaires by cyberinsurance/risk management...."MFA required for all external AND internal access to firewalls/routers".

    I realize externally, I can sorta/almost fudge this with Command Center, and simply no https access from the WAN side.
    But internally...I'm not aware of any method to BLOCK/STOP web management of Untangle internally...without side effects of losing the "block" pages.

    I have one client that I've had on a paid NG Complete plan for over 10 years, he's in insurance himself, needs to check the boxes by January. Wondering if any solutions were found by users here, or...if there is hope on the roadmap. Or..if I have to start replacing quite a few Untangle appliances with another product at clients who are having these requirements come up.
    Resident "Geek on a Harley" in Southeast Connecticut, USA.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,236

    Default

    Config -> Administration -> Restrict Administration Subnet(s).

    Feed it 127.0.0.1, and poof... no more local admin unless you're physically on the box. Command Center still worked when I tested this...

    But yeah, TOTP on the actual admin login should have been a thing two years ago, I've been asking... heck it was even promised! Instead what we got was TOTP for OpenVPN! Which while handy, when the admin login isn't also TOTP protected is utterly worthless.
    Last edited by sky-knight; 11-11-2021 at 11:03 AM.
    mikeyscott likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Mar 2020
    Location
    UK
    Posts
    90

    Default

    Yup and for this reason I'll be cancelling my subscription this year.

  4. #4
    Untangle Ninja YeOldeStonecat's Avatar
    Join Date
    Aug 2007
    Posts
    1,558

    Default

    Quote Originally Posted by sky-knight View Post
    Config -> Administration -> Restrict Administration Subnet(s).

    Feed it 127.0.0.1, and poof... not more local admin unless you're physically on the box. Command Center still worked when I tested this...
    Hmmm....Thanks Rob,
    So disable WAN http/s, and do your trick to effectively disable LAN http, this does leave just command center access, which...sorta/kinda/almost has a weak version of MFA. One could fudge a check in that box for the compliance questionnaire and not loose too much sleep over a little fib.

    One needs faith that Command Center will always work. And of course you do have local...from the appliance access like you said, plugging the old HDMI monitor and keyboard in. This solution I guess is as sufficient as we can get. Wish we had true MFA on LAN access and even WAN, ...we can dream.

    Re: MFA on OpenVPN...yeah, just when we get excited about WireGuard VPN, and replace that on all our clients and enjoy that wonderful VPN experience, no MFA on that, so our clients that need MFA on remote access, we have to go backwards and redeploy old school PPTP VPN...I mean....OpenVPN. Blech.
    Resident "Geek on a Harley" in Southeast Connecticut, USA.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,236

    Default

    Quote Originally Posted by YeOldeStonecat View Post
    Hmmm....Thanks Rob,
    So disable WAN http/s, and do your trick to effectively disable LAN http, this does leave just command center access, which...sorta/kinda/almost has a weak version of MFA. One could fudge a check in that box for the compliance questionnaire and not loose too much sleep over a little fib.

    One needs faith that Command Center will always work. And of course you do have local...from the appliance access like you said, plugging the old HDMI monitor and keyboard in. This solution I guess is as sufficient as we can get. Wish we had true MFA on LAN access and even WAN, ...we can dream.

    Re: MFA on OpenVPN...yeah, just when we get excited about WireGuard VPN, and replace that on all our clients and enjoy that wonderful VPN experience, no MFA on that, so our clients that need MFA on remote access, we have to go backwards and redeploy old school PPTP VPN...I mean....OpenVPN. Blech.
    If you enable MS SSO you get full MFA on the Untangle.com account. I have yet to succeed at such without locking myself out though. I do have TOTP on my Untangle.com account, and I require the local password to get into each device. That's a bit more than 2FA, so yeah I don't bat an eyelash at ticking that box in that circumstance.

    Still, TOTP on the local admin UI solves ALL OF THIS without any thought, effort, or planning.

    I know you're a huge Unifi guy... their controller doesn't do local TOTP either. It's infuriating.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangle Ninja YeOldeStonecat's Avatar
    Join Date
    Aug 2007
    Posts
    1,558

    Default

    Quote Originally Posted by sky-knight View Post
    I know you're a huge Unifi guy... their controller doesn't do local TOTP either. It's infuriating.
    But their cloud account does, we have most of our sites at Hostifi which ties back to the UI account, which we have MFA'd...and keep our TOTP in HUDU. For the remaining few Cloud Keys and very few UDMs we have, we use use the cloud account to log into those...so that's still MFA'd via that.
    Resident "Geek on a Harley" in Southeast Connecticut, USA.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,236

    Default

    Quote Originally Posted by YeOldeStonecat View Post
    But their cloud account does, we have most of our sites at Hostifi which ties back to the UI account, which we have MFA'd...and keep our TOTP in HUDU. For the remaining few Cloud Keys and very few UDMs we have, we use use the cloud account to log into those...so that's still MFA'd via that.
    Unless the Internet is down, then they revert. Something that has been exploited in the past.

    There's no substitution for local MFA on all this stuff, there's a reason the insurance companies are screaming for it. And it's going to be years before everything gets fixed.

    Once again Untangle screws the pooch, a simple thing to put it out in front of the competition. Instead I expect we'll get TOTP on the local admin UI in 2023 or so... given their track record.

    (I'd LOVE to eat my hat on this one guys)
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2