I have my access server running on ubuntu server, but, cannot figure out how to get integrate securid tokens with it. There is hardly any info on it other than saying the PAM module should be able to work somehow. I was more looking for a guide.
Thanks fam
How to use RSA Securid with Openvpn?
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Mar 10, 2016 10:05 pm
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Jan 18, 2022 7:15 pm
Re: How to use RSA Securid with Openvpn?
I have the same issue. My users use RSA Secureid one-time passwords or 2FA. I would like to use LDAP for primary authentication and then use RSA Secureid one-time passwords for 2FA. But I cannot find any documentation on this process.
-
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: How to use RSA Securid with Openvpn?
I am surprised anyone still uses SecurID after 2011.
This document explains how to disable primary authentication and supply your own python script for authentication instead:
https://openvpn.net/vpn-server-resource ... -examples/
You can have the user type both the password and SecurID code in the same password prompt. Then have your own python script use everything except the last 6 characters to authenticate against LDAP. The last remaining 6 characters you can then code to authenticate against SecurID.
This is going to be a great deal of effort to get working correctly.
I would instead recommend taking advantage of the Google Authenticator support that already exists in OpenVPN AS. This works with any TOTP (RFC6238) application. I have not found anything that indicates that SecurID soft tokens are any more secure than TOTP compliant authenticators. Also, the events of 2011 indicated to me that the SecurID hard tokens aren't worth the price.
Information on how to set OpenVPN AS to use Google Authenticator MFA support is available here:
https://openvpn.net/vpn-server-resource ... ntication/
This document explains how to disable primary authentication and supply your own python script for authentication instead:
https://openvpn.net/vpn-server-resource ... -examples/
You can have the user type both the password and SecurID code in the same password prompt. Then have your own python script use everything except the last 6 characters to authenticate against LDAP. The last remaining 6 characters you can then code to authenticate against SecurID.
This is going to be a great deal of effort to get working correctly.
I would instead recommend taking advantage of the Google Authenticator support that already exists in OpenVPN AS. This works with any TOTP (RFC6238) application. I have not found anything that indicates that SecurID soft tokens are any more secure than TOTP compliant authenticators. Also, the events of 2011 indicated to me that the SecurID hard tokens aren't worth the price.
Information on how to set OpenVPN AS to use Google Authenticator MFA support is available here:
https://openvpn.net/vpn-server-resource ... ntication/