Is it possible to do this configuration? I read the documentation but I couldn't see anything related.
- If a client provides valid client certificate it will be allowed
- If a client does not provide client certificate but entered correct credentials it will be allowed.
Is it possible to authenticate clients with certificate OR radius?
-
agungor
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Feb 16, 2017 9:40 am
-
novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Is it possible to authenticate clients with certificate OR radius?
I'm talking now about the commercial offering called OpenVPN Access Server:
- If a client provides valid client certificate it will be allowed
If you use autologin profiles, yes, this is exactly how it works. To obtain the autologin profile you do need to use credentials for the account one time. After that you just use the autologin profile to make a connection. It contains all the settings and the client certificate necessary to make a connection. With an autologin type profile the credentials are not checked. You only use the credentials once to obtain the autologin profile itself. After that you can connect at any time and credentials are not checked anymore.
- If a client does not provide client certificate but entered correct credentials it will be allowed.
That is the default for 'standard' user accounts. They are offered the OpenVPN Connect Client for Windows and Mac, which does not carry client certificates. When you log on using the Connect Client, you enter username+password. This is passed on to the Access Server over a secure channel, and if the information is correct, a client certificate for that specific user is provided and used to make a connection. After disconnecting this user profile is deleted from the client computer and is then ready to accept a new login attempt for any valid user on the Access Server.
Basically, what you describe in your second line, is exactly what the Access Server already does by default, and by simply giving a user autologin rights, you get the situation that you describe in your first line.
- If a client provides valid client certificate it will be allowed
If you use autologin profiles, yes, this is exactly how it works. To obtain the autologin profile you do need to use credentials for the account one time. After that you just use the autologin profile to make a connection. It contains all the settings and the client certificate necessary to make a connection. With an autologin type profile the credentials are not checked. You only use the credentials once to obtain the autologin profile itself. After that you can connect at any time and credentials are not checked anymore.
- If a client does not provide client certificate but entered correct credentials it will be allowed.
That is the default for 'standard' user accounts. They are offered the OpenVPN Connect Client for Windows and Mac, which does not carry client certificates. When you log on using the Connect Client, you enter username+password. This is passed on to the Access Server over a secure channel, and if the information is correct, a client certificate for that specific user is provided and used to make a connection. After disconnecting this user profile is deleted from the client computer and is then ready to accept a new login attempt for any valid user on the Access Server.
Basically, what you describe in your second line, is exactly what the Access Server already does by default, and by simply giving a user autologin rights, you get the situation that you describe in your first line.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.