open vpn for PCI/DSS 3.2 compliance

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
tcaetano
OpenVpn Newbie
Posts: 5
Joined: Tue Mar 28, 2017 1:32 pm

open vpn for PCI/DSS 3.2 compliance

Post by tcaetano » Tue Mar 28, 2017 1:44 pm

We are currently trying to configure our openvpn server with MFA, we have installed DUO and google authenticator in 2 servers (1 for each MFA).

the problem is that both of them shows the login error (when it fails the user/password or when it fails the mfa).

PCI/DSS 3.2 Specifies that it has to ask for both authentication methods and then show a common error, not informing the user wich of the authentication methods has failed (so attackers will have a hard time guessing wich one failed).

is there any way of doing this?? our QSA told us that it was also acceptable to not show any error at all (wich i think it should be easier to disable from the server), any idea how to do this.??

thanks

tcaetano
OpenVpn Newbie
Posts: 5
Joined: Tue Mar 28, 2017 1:32 pm

Re: open vpn for PCI/DSS 3.2 compliance

Post by tcaetano » Tue Mar 28, 2017 1:56 pm

We are also using ldap as the first authentication

Post Reply