?
Solved

Group Policy password policy and OpenVPN

Posted on 2011-03-08
13
Medium Priority
?
1,464 Views
Last Modified: 2012-08-14
HELP!!

In summary, we have a standard GPO pushing out our password policy (standard MS) which is working fine on our LAN/WAN.

However we are having an issue with our OpenVPN users.

Breakdown

- Their computer is a domain computer

- They connect back to the wan via OpenVPN using their AD credentials

- The OpenVPN server authenticates back to AD using LDAP

- If the user hasn’t changed his password before the last day of the policy (I.E. Passwords have to be changed every 45days) he is then unable to as on the last day OpenLAP will no longer see his password as being valid.

Any ideas?

Tony
0
Comment
Question by:aeason27
  • 6
  • 5
12 Comments
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 35076048
Hi,

Unfortunately I think there is no solution to that with non-microsoft VPN solution.

As an example, with a RADIUS authentication you'll have the same problem except if your RADIUS server is able to use MS-CHAPv2 protocol to authenticate with DCs because only MS-CHAPv2 is able to understand the failure reason sent back by the DC when the password is expired.

In your case, when your OpenVPN server authenticate by LDAP with the DC it can not know why the authentication is refused.

Have a good day
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 35080568
If LDAP cannot provide the reason for failing (to differ between "password wrong" and "expired")  - which would allow to use a client authentication script in OpenVPN providing an "emergency login", e.g by resetting the password to something well-known, but immediately expiring -   the only alternative I see is NOT to use LDAP authentication for OpenVPN.
0
 

Author Comment

by:aeason27
ID: 35081615
how would you suggest it links to AD then?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 72

Expert Comment

by:Qlemo
ID: 35082331
There is no need to!? I see it is much easier to provide a single login only for both VPN and AD, but you do not need any kind of user authentication for OpenVPN. You can use a group authentication (shared certificate) for OpenVPN.
0
 

Author Comment

by:aeason27
ID: 35089220
are you recommending a different account for AD and a different one for OpenVPN?

if you are not, I still don't understand how the password change would work.

at the moment If the user hasn’t changed his password before the last day of the policy (I.E. Passwords have to be changed every 45days) he is then unable to as on the last day OpenLAP will no longer see his password as being valid.

Tony
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 35099196
you do not need any kind of user authentication for OpenVPN. You can use a group authentication (shared certificate) for OpenVPN.
That should mean you do not need to authenticate in OpenVPN, only when using the domain. OpenVPN has no benefit of doing user authentication - it is for the VPN solely, so you can use anything: a single login for all users, a computer/user certificate, a shared key, or nothing at all.
0
 

Author Comment

by:aeason27
ID: 35099359
Just to confirm, your saying use shared cerificates to authenticate? Then just authenticate to AD via windows?
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 35099483
As one of many options, yes.
0
 

Author Comment

by:aeason27
ID: 35099537
1st of big big thank you. 2nd can you point me towards a url on how to set that up?

Any other options you would suggest?
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 35099670
The OpenVPN Wiki show how to create certifcates as the "default" configuration. Just follow that. That way you generate certicates with the OpenVPN server as CA (http://www.openvpn.net/index.php/open-source/documentation/howto.html#pki). The way it is discussed there you create individual certifcates for each user or computer, but you do not need to. If you decide to use a single certifcate, you need to add the --duplicate-cn  switch to the server config, else only one client is allowed simultanously.
0
 

Author Comment

by:aeason27
ID: 35099892
And then the GPO would be pushed down to the computer and force the domain computer to change its AD password right?

Also can you tie the OpenVpn into the windows login? I.E. Get it to dial a connection as you log into windows?
0
 
LVL 72

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 35106481
No. OpenVPN and Windows aren't connected in any way, and there is no "dial-in and login via VPN" feature available like with some other VPN clients.
However, you can start OpenVPN service - it will use the config file found in its config folder, and try to establish a connection after booting. Then Windows Login using the domain account shouldn't be an issue anymore - with the same features available as if you were in the LAN.
0

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question