open vpn for PCI/DSS 3.2 compliance
Posted: Tue Mar 28, 2017 1:44 pm
We are currently trying to configure our openvpn server with MFA, we have installed DUO and google authenticator in 2 servers (1 for each MFA).
the problem is that both of them shows the login error (when it fails the user/password or when it fails the mfa).
PCI/DSS 3.2 Specifies that it has to ask for both authentication methods and then show a common error, not informing the user wich of the authentication methods has failed (so attackers will have a hard time guessing wich one failed).
is there any way of doing this?? our QSA told us that it was also acceptable to not show any error at all (wich i think it should be easier to disable from the server), any idea how to do this.??
thanks
the problem is that both of them shows the login error (when it fails the user/password or when it fails the mfa).
PCI/DSS 3.2 Specifies that it has to ask for both authentication methods and then show a common error, not informing the user wich of the authentication methods has failed (so attackers will have a hard time guessing wich one failed).
is there any way of doing this?? our QSA told us that it was also acceptable to not show any error at all (wich i think it should be easier to disable from the server), any idea how to do this.??
thanks