Solved

Group Policy password policy and OpenVPN

Posted on 2011-03-08
13
1,316 Views
Last Modified: 2012-08-14
HELP!!

In summary, we have a standard GPO pushing out our password policy (standard MS) which is working fine on our LAN/WAN.

However we are having an issue with our OpenVPN users.

Breakdown

- Their computer is a domain computer

- They connect back to the wan via OpenVPN using their AD credentials

- The OpenVPN server authenticates back to AD using LDAP

- If the user hasn’t changed his password before the last day of the policy (I.E. Passwords have to be changed every 45days) he is then unable to as on the last day OpenLAP will no longer see his password as being valid.

Any ideas?

Tony
0
Comment
Question by:aeason27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
13 Comments
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 35076048
Hi,

Unfortunately I think there is no solution to that with non-microsoft VPN solution.

As an example, with a RADIUS authentication you'll have the same problem except if your RADIUS server is able to use MS-CHAPv2 protocol to authenticate with DCs because only MS-CHAPv2 is able to understand the failure reason sent back by the DC when the password is expired.

In your case, when your OpenVPN server authenticate by LDAP with the DC it can not know why the authentication is refused.

Have a good day
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35080568
If LDAP cannot provide the reason for failing (to differ between "password wrong" and "expired")  - which would allow to use a client authentication script in OpenVPN providing an "emergency login", e.g by resetting the password to something well-known, but immediately expiring -   the only alternative I see is NOT to use LDAP authentication for OpenVPN.
0
 

Author Comment

by:aeason27
ID: 35081615
how would you suggest it links to AD then?
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 70

Expert Comment

by:Qlemo
ID: 35082331
There is no need to!? I see it is much easier to provide a single login only for both VPN and AD, but you do not need any kind of user authentication for OpenVPN. You can use a group authentication (shared certificate) for OpenVPN.
0
 

Author Comment

by:aeason27
ID: 35089220
are you recommending a different account for AD and a different one for OpenVPN?

if you are not, I still don't understand how the password change would work.

at the moment If the user hasn’t changed his password before the last day of the policy (I.E. Passwords have to be changed every 45days) he is then unable to as on the last day OpenLAP will no longer see his password as being valid.

Tony
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35099196
you do not need any kind of user authentication for OpenVPN. You can use a group authentication (shared certificate) for OpenVPN.
That should mean you do not need to authenticate in OpenVPN, only when using the domain. OpenVPN has no benefit of doing user authentication - it is for the VPN solely, so you can use anything: a single login for all users, a computer/user certificate, a shared key, or nothing at all.
0
 

Author Comment

by:aeason27
ID: 35099359
Just to confirm, your saying use shared cerificates to authenticate? Then just authenticate to AD via windows?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35099483
As one of many options, yes.
0
 

Author Comment

by:aeason27
ID: 35099537
1st of big big thank you. 2nd can you point me towards a url on how to set that up?

Any other options you would suggest?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35099670
The OpenVPN Wiki show how to create certifcates as the "default" configuration. Just follow that. That way you generate certicates with the OpenVPN server as CA (http://www.openvpn.net/index.php/open-source/documentation/howto.html#pki). The way it is discussed there you create individual certifcates for each user or computer, but you do not need to. If you decide to use a single certifcate, you need to add the --duplicate-cn  switch to the server config, else only one client is allowed simultanously.
0
 

Author Comment

by:aeason27
ID: 35099892
And then the GPO would be pushed down to the computer and force the domain computer to change its AD password right?

Also can you tie the OpenVpn into the windows login? I.E. Get it to dial a connection as you log into windows?
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 35106481
No. OpenVPN and Windows aren't connected in any way, and there is no "dial-in and login via VPN" feature available like with some other VPN clients.
However, you can start OpenVPN service - it will use the config file found in its config folder, and try to establish a connection after booting. Then Windows Login using the domain account shouldn't be an issue anymore - with the same features available as if you were in the LAN.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question