Hi all,
I've set up an OpenVPN Access server that authenticates users against LDAP (Active Directory) and requires Google Authenticator. However, users can sign up for Google Authenticator just by logging in to the external web server.
Is there any way to limit the Authenticator configuration to a specific network, so that users HAVE to be on the LAN to sign up?
Limit Google Authenticator signup?
-
novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Limit Google Authenticator signup?
Not with the settings that are available now. It can still be done (difficulty: expert) but requires a small bit of Python coding in post_auth scripting. With it you can add additional criteria to the login process. For example, you can make a script that does the following:
1. after the user successfully provides username and password
2. check if google authenticator is not yet setup
3. if not then check IP address of where the user is logging in from
4. if that doesn't match an allowed address, kick the user out
Alternatively you could decide to only make the web interface accessible from the LAN (difficulty: beginner) by adjusting firewall settings in your network and tweaking settings in the Admin UI's Server Network Settings page.
1. after the user successfully provides username and password
2. check if google authenticator is not yet setup
3. if not then check IP address of where the user is logging in from
4. if that doesn't match an allowed address, kick the user out
Alternatively you could decide to only make the web interface accessible from the LAN (difficulty: beginner) by adjusting firewall settings in your network and tweaking settings in the Admin UI's Server Network Settings page.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.