[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Group Policy password policy and OpenVPN

Posted on 2011-03-08
13
Medium Priority
?
1,403 Views
Last Modified: 2012-08-14
HELP!!

In summary, we have a standard GPO pushing out our password policy (standard MS) which is working fine on our LAN/WAN.

However we are having an issue with our OpenVPN users.

Breakdown

- Their computer is a domain computer

- They connect back to the wan via OpenVPN using their AD credentials

- The OpenVPN server authenticates back to AD using LDAP

- If the user hasn’t changed his password before the last day of the policy (I.E. Passwords have to be changed every 45days) he is then unable to as on the last day OpenLAP will no longer see his password as being valid.

Any ideas?

Tony
0
Comment
Question by:aeason27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
13 Comments
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 35076048
Hi,

Unfortunately I think there is no solution to that with non-microsoft VPN solution.

As an example, with a RADIUS authentication you'll have the same problem except if your RADIUS server is able to use MS-CHAPv2 protocol to authenticate with DCs because only MS-CHAPv2 is able to understand the failure reason sent back by the DC when the password is expired.

In your case, when your OpenVPN server authenticate by LDAP with the DC it can not know why the authentication is refused.

Have a good day
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35080568
If LDAP cannot provide the reason for failing (to differ between "password wrong" and "expired")  - which would allow to use a client authentication script in OpenVPN providing an "emergency login", e.g by resetting the password to something well-known, but immediately expiring -   the only alternative I see is NOT to use LDAP authentication for OpenVPN.
0
 

Author Comment

by:aeason27
ID: 35081615
how would you suggest it links to AD then?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 71

Expert Comment

by:Qlemo
ID: 35082331
There is no need to!? I see it is much easier to provide a single login only for both VPN and AD, but you do not need any kind of user authentication for OpenVPN. You can use a group authentication (shared certificate) for OpenVPN.
0
 

Author Comment

by:aeason27
ID: 35089220
are you recommending a different account for AD and a different one for OpenVPN?

if you are not, I still don't understand how the password change would work.

at the moment If the user hasn’t changed his password before the last day of the policy (I.E. Passwords have to be changed every 45days) he is then unable to as on the last day OpenLAP will no longer see his password as being valid.

Tony
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35099196
you do not need any kind of user authentication for OpenVPN. You can use a group authentication (shared certificate) for OpenVPN.
That should mean you do not need to authenticate in OpenVPN, only when using the domain. OpenVPN has no benefit of doing user authentication - it is for the VPN solely, so you can use anything: a single login for all users, a computer/user certificate, a shared key, or nothing at all.
0
 

Author Comment

by:aeason27
ID: 35099359
Just to confirm, your saying use shared cerificates to authenticate? Then just authenticate to AD via windows?
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35099483
As one of many options, yes.
0
 

Author Comment

by:aeason27
ID: 35099537
1st of big big thank you. 2nd can you point me towards a url on how to set that up?

Any other options you would suggest?
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35099670
The OpenVPN Wiki show how to create certifcates as the "default" configuration. Just follow that. That way you generate certicates with the OpenVPN server as CA (http://www.openvpn.net/index.php/open-source/documentation/howto.html#pki). The way it is discussed there you create individual certifcates for each user or computer, but you do not need to. If you decide to use a single certifcate, you need to add the --duplicate-cn  switch to the server config, else only one client is allowed simultanously.
0
 

Author Comment

by:aeason27
ID: 35099892
And then the GPO would be pushed down to the computer and force the domain computer to change its AD password right?

Also can you tie the OpenVpn into the windows login? I.E. Get it to dial a connection as you log into windows?
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 35106481
No. OpenVPN and Windows aren't connected in any way, and there is no "dial-in and login via VPN" feature available like with some other VPN clients.
However, you can start OpenVPN service - it will use the config file found in its config folder, and try to establish a connection after booting. Then Windows Login using the domain account shouldn't be an issue anymore - with the same features available as if you were in the LAN.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question