diff --git a/src/sbin/opnsense-auth b/src/sbin/opnsense-auth
new file mode 100755
index 000000000..952cf26b4
--- /dev/null
+++ b/src/sbin/opnsense-auth
@@ -0,0 +1,85 @@
+#!/usr/local/bin/php
+<?php
+/**
+ *    Copyright (C) 2016 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+
+require_once("config.inc");
+require_once("auth.inc");
+
+// parse received auth data (key=value combinations)
+//  user=<name>
+//  password=<password>
+//  service=<pam service> (to be implemented)
+$fp = fopen('php://stdin', 'r');
+$auth_data = array();
+while (!empty($line=trim(fgets($fp)))) {
+    $parts = explode("=", $line);
+    if (count($parts) >= 2) {
+        // key value pair
+        $propname = array_shift($parts);
+        $propvalue = implode("=", $parts);
+        $auth_data[$propname] = $propvalue;
+    }
+}
+
+$exit_status = -1;
+if (!empty($auth_data['user']) && !empty($auth_data['password'])) {
+    $authcfg = auth_get_authserver("Local Database");
+    $authcfg_fallback = auth_get_authserver("Local Database");
+
+    if (isset($config['system']['webgui']['authmode'])) {
+        $authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
+    }
+
+    if (!empty($config['system']['webgui']['authmode_fallback'])) {
+        if ($config['system']['webgui']['authmode_fallback'] == "__NO_FALLBACK__") {
+            // no fallback
+            $authcfg_fallback = false;
+        } else {
+            $authcfg_fallback = auth_get_authserver($config['system']['webgui']['authmode_fallback']);
+        }
+    }
+
+    if (authenticate_user($auth_data['user'], $auth_data['password'], $authcfg)) {
+        // auth OK
+        syslog(LOG_NOTICE, "user '".$auth_data['user']."' authenticated successfully\n");
+        $exit_status = 0;
+    } elseif ($authcfg != $authcfg_fallback && $authcfg_fallback !== false &&
+      authenticate_user($auth_data['user'], $auth_data['password'], $authcfg_fallback)) {
+        // auth OK, using fallback
+        syslog(LOG_NOTICE, "user '".$auth_data['user']."' authenticated successfully (using fallback)\n");
+        $exit_status = 0;
+    } else {
+        syslog(LOG_WARNING, "user '".$auth_data['user']."' could not authenticate.\n");
+    }
+}
+
+// failed auth, return exit status -1
+closelog();
+exit($exit_status);