Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Group Policy password policy and OpenVPN

Posted on 2011-03-08
13
1,280 Views
Last Modified: 2012-08-14
HELP!!

In summary, we have a standard GPO pushing out our password policy (standard MS) which is working fine on our LAN/WAN.

However we are having an issue with our OpenVPN users.

Breakdown

- Their computer is a domain computer

- They connect back to the wan via OpenVPN using their AD credentials

- The OpenVPN server authenticates back to AD using LDAP

- If the user hasn’t changed his password before the last day of the policy (I.E. Passwords have to be changed every 45days) he is then unable to as on the last day OpenLAP will no longer see his password as being valid.

Any ideas?

Tony
0
Comment
Question by:aeason27
  • 6
  • 5
13 Comments
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 35076048
Hi,

Unfortunately I think there is no solution to that with non-microsoft VPN solution.

As an example, with a RADIUS authentication you'll have the same problem except if your RADIUS server is able to use MS-CHAPv2 protocol to authenticate with DCs because only MS-CHAPv2 is able to understand the failure reason sent back by the DC when the password is expired.

In your case, when your OpenVPN server authenticate by LDAP with the DC it can not know why the authentication is refused.

Have a good day
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35080568
If LDAP cannot provide the reason for failing (to differ between "password wrong" and "expired")  - which would allow to use a client authentication script in OpenVPN providing an "emergency login", e.g by resetting the password to something well-known, but immediately expiring -   the only alternative I see is NOT to use LDAP authentication for OpenVPN.
0
 

Author Comment

by:aeason27
ID: 35081615
how would you suggest it links to AD then?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 69

Expert Comment

by:Qlemo
ID: 35082331
There is no need to!? I see it is much easier to provide a single login only for both VPN and AD, but you do not need any kind of user authentication for OpenVPN. You can use a group authentication (shared certificate) for OpenVPN.
0
 

Author Comment

by:aeason27
ID: 35089220
are you recommending a different account for AD and a different one for OpenVPN?

if you are not, I still don't understand how the password change would work.

at the moment If the user hasn’t changed his password before the last day of the policy (I.E. Passwords have to be changed every 45days) he is then unable to as on the last day OpenLAP will no longer see his password as being valid.

Tony
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35099196
you do not need any kind of user authentication for OpenVPN. You can use a group authentication (shared certificate) for OpenVPN.
That should mean you do not need to authenticate in OpenVPN, only when using the domain. OpenVPN has no benefit of doing user authentication - it is for the VPN solely, so you can use anything: a single login for all users, a computer/user certificate, a shared key, or nothing at all.
0
 

Author Comment

by:aeason27
ID: 35099359
Just to confirm, your saying use shared cerificates to authenticate? Then just authenticate to AD via windows?
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35099483
As one of many options, yes.
0
 

Author Comment

by:aeason27
ID: 35099537
1st of big big thank you. 2nd can you point me towards a url on how to set that up?

Any other options you would suggest?
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35099670
The OpenVPN Wiki show how to create certifcates as the "default" configuration. Just follow that. That way you generate certicates with the OpenVPN server as CA (http://www.openvpn.net/index.php/open-source/documentation/howto.html#pki). The way it is discussed there you create individual certifcates for each user or computer, but you do not need to. If you decide to use a single certifcate, you need to add the --duplicate-cn  switch to the server config, else only one client is allowed simultanously.
0
 

Author Comment

by:aeason27
ID: 35099892
And then the GPO would be pushed down to the computer and force the domain computer to change its AD password right?

Also can you tie the OpenVpn into the windows login? I.E. Get it to dial a connection as you log into windows?
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 35106481
No. OpenVPN and Windows aren't connected in any way, and there is no "dial-in and login via VPN" feature available like with some other VPN clients.
However, you can start OpenVPN service - it will use the config file found in its config folder, and try to establish a connection after booting. Then Windows Login using the domain account shouldn't be an issue anymore - with the same features available as if you were in the LAN.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question