what is the best way to implement OpenVPN with hardware ID authentication

What is the best way to implement this scenario:

I want to provide openvpn service with Username, Password and hardware ID authentication


I will gave the client username and password for first time .


If the client connected I need to take unique value from his machine and store it


each time the user connect it will check for the Hardware ID
I want central authentication for more than one OpenVPN servers

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ahmad AbuatayaPre-Sales EngineerCommented:
it depends about the scale of the solution
if its small list you can use the access point router to configure such thing but for high scaled solutions you can find many solutions from aruba and cisco etc,,
asrawahiAuthor Commented:
Thanks , But i want to know how  i can do that my self ,  what i should do , my scale  is large , also i dont want to use cisco i want to learn how i can use this auth with openVPN .

i'm installing OpenVPN in my Ubuntu server , and what is  next step ?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
You would have to run scripts for that on both client and server, but the issue is that you can't pass vars between the both via OpenVPN. You would have to implement an additional authentication layer, e.g. by running a client script to send the hostname (env: %hostname%) or MAC address (ipconfig /all | find "Physical") e.g. via FTP to the server, which would process that info in the auth-user-pass script you would need anyway. Tricky, and not very reliable.

Looks like non-free OpenVPN Access Server variant has an option to do hardware ID check (https://openvpn.net/index.php/access-server/docs/admin-guides/411-access-server-post-auth-script.html).
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

asrawahiAuthor Commented:
hi , is there any tutorial about access server with hardware id auth ?.

You can hace USB CCID that stores private key and authenticates using SASL and the likes.
btanExec ConsultantCommented:
can be the MAC as h/w id and check via script (e.g. in below stated, on mention of sample post_auth script (pas.py) that does MAC check)  
# Example Access Server Post-Auth script demonstrates three features:
# 1. How to set a connecting user's Access Server group based on LDAP
#    group settings for the user.
# 2. How to verify that a given Access Server user only logs in using
#    a known client machine.
# 3. How to verify that client machine contains up-to-date applications
#    (such as virus checker) before allowing it to connect to the server.

# Note that this script requires that the client provide us with information
# such as its MAC address and information about installed applications.
# The Access Server Client will only provide this information to trusted
# servers, so make sure that the client is configured to trust the profile
# which is used to connect to this server.
Download "pas.py" - http://openvpn.net/images/scripts/pas.py

Ref - https://docs.openvpn.net/docs/access-server/openvpn-access-server-post-auth-scripting.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Craig BeckCommented:
Why not just use computer certificates?  That gives you what you want right now.  Tie it in to RADIUS and you've got a great solution.
asrawahiAuthor Commented:
Thanks All for the support
Craig BeckCommented:
Thanks, but the chosen answer isn't really a 'solution'.  The MAC can be changed or spoofed easily so users could connect via machines that aren't really allowed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.