?
Solved

Group Policy password policy and OpenVPN

Posted on 2011-03-08
13
Medium Priority
?
1,377 Views
Last Modified: 2012-08-14
HELP!!

In summary, we have a standard GPO pushing out our password policy (standard MS) which is working fine on our LAN/WAN.

However we are having an issue with our OpenVPN users.

Breakdown

- Their computer is a domain computer

- They connect back to the wan via OpenVPN using their AD credentials

- The OpenVPN server authenticates back to AD using LDAP

- If the user hasn’t changed his password before the last day of the policy (I.E. Passwords have to be changed every 45days) he is then unable to as on the last day OpenLAP will no longer see his password as being valid.

Any ideas?

Tony
0
Comment
Question by:aeason27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
13 Comments
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 35076048
Hi,

Unfortunately I think there is no solution to that with non-microsoft VPN solution.

As an example, with a RADIUS authentication you'll have the same problem except if your RADIUS server is able to use MS-CHAPv2 protocol to authenticate with DCs because only MS-CHAPv2 is able to understand the failure reason sent back by the DC when the password is expired.

In your case, when your OpenVPN server authenticate by LDAP with the DC it can not know why the authentication is refused.

Have a good day
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35080568
If LDAP cannot provide the reason for failing (to differ between "password wrong" and "expired")  - which would allow to use a client authentication script in OpenVPN providing an "emergency login", e.g by resetting the password to something well-known, but immediately expiring -   the only alternative I see is NOT to use LDAP authentication for OpenVPN.
0
 

Author Comment

by:aeason27
ID: 35081615
how would you suggest it links to AD then?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 70

Expert Comment

by:Qlemo
ID: 35082331
There is no need to!? I see it is much easier to provide a single login only for both VPN and AD, but you do not need any kind of user authentication for OpenVPN. You can use a group authentication (shared certificate) for OpenVPN.
0
 

Author Comment

by:aeason27
ID: 35089220
are you recommending a different account for AD and a different one for OpenVPN?

if you are not, I still don't understand how the password change would work.

at the moment If the user hasn’t changed his password before the last day of the policy (I.E. Passwords have to be changed every 45days) he is then unable to as on the last day OpenLAP will no longer see his password as being valid.

Tony
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35099196
you do not need any kind of user authentication for OpenVPN. You can use a group authentication (shared certificate) for OpenVPN.
That should mean you do not need to authenticate in OpenVPN, only when using the domain. OpenVPN has no benefit of doing user authentication - it is for the VPN solely, so you can use anything: a single login for all users, a computer/user certificate, a shared key, or nothing at all.
0
 

Author Comment

by:aeason27
ID: 35099359
Just to confirm, your saying use shared cerificates to authenticate? Then just authenticate to AD via windows?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35099483
As one of many options, yes.
0
 

Author Comment

by:aeason27
ID: 35099537
1st of big big thank you. 2nd can you point me towards a url on how to set that up?

Any other options you would suggest?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35099670
The OpenVPN Wiki show how to create certifcates as the "default" configuration. Just follow that. That way you generate certicates with the OpenVPN server as CA (http://www.openvpn.net/index.php/open-source/documentation/howto.html#pki). The way it is discussed there you create individual certifcates for each user or computer, but you do not need to. If you decide to use a single certifcate, you need to add the --duplicate-cn  switch to the server config, else only one client is allowed simultanously.
0
 

Author Comment

by:aeason27
ID: 35099892
And then the GPO would be pushed down to the computer and force the domain computer to change its AD password right?

Also can you tie the OpenVpn into the windows login? I.E. Get it to dial a connection as you log into windows?
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 35106481
No. OpenVPN and Windows aren't connected in any way, and there is no "dial-in and login via VPN" feature available like with some other VPN clients.
However, you can start OpenVPN service - it will use the config file found in its config folder, and try to establish a connection after booting. Then Windows Login using the domain account shouldn't be an issue anymore - with the same features available as if you were in the LAN.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question