We are currently trying to configure our openvpn server with MFA, we have installed DUO and google authenticator in 2 servers (1 for each MFA).
the problem is that both of them shows the login error (when it fails the user/password or when it fails the mfa).
PCI/DSS 3.2 Specifies that it has to ask for both authentication methods and then show a common error, not informing the user wich of the authentication methods has failed (so attackers will have a hard time guessing wich one failed).
is there any way of doing this?? our QSA told us that it was also acceptable to not show any error at all (wich i think it should be easier to disable from the server), any idea how to do this.??
thanks
open vpn for PCI/DSS 3.2 compliance
-
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Mar 28, 2017 1:32 pm
-
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Mar 28, 2017 1:32 pm
Re: open vpn for PCI/DSS 3.2 compliance
We are also using ldap as the first authentication