We are currently trying to configure our openvpn server with MFA, we have installed DUO and google authenticator in 2 servers (1 for each MFA).
the problem is that both of them shows the login error (when it fails the user/password or when it fails the mfa).
PCI/DSS 3.2 Specifies that it has to ask for both authentication methods and then show a common error, not informing the user wich of the authentication methods has failed (so attackers will have a hard time guessing wich one failed).
is there any way of doing this?? our QSA told us that it was also acceptable to not show any error at all (wich i think it should be easier to disable from the server), any idea how to do this.??
Ask questions about your Access Server configuration here.
2 posts • Page 1 of 1