is it possible to bind CCD configuration to host certificate in dual factor auth?

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ienaxxx
OpenVpn Newbie
Posts: 2
Joined: Thu Jan 11, 2018 11:25 am

is it possible to bind CCD configuration to host certificate in dual factor auth?

Post by ienaxxx » Thu Jan 11, 2018 11:34 am

Hi, I set up server with 2 factors auth (username and PW + Host cert).
I enabled remote KERBEROS auth to allow my Active Directory domain users to authenticate in VPN.

I'd like to assign specific IPs (to use specific firewall rules in iptables) and managed to do so via client-config-dir.
Anyway, since usernames are case insensitive in Active directory, so i had to create a lot of files for each user with all the possible combinations (a bash script).
E.g.:
userfc1@domain.ext
Userfc1@domain.ext
uSerfc1@domain.ext
....

So my question is:
Is that possible to bind a configuration to the HOST Certificate instead of the username? I know it is possible when using the USER certificate to login, with the CN of the user, but I can't make it work with Host cert CN.

If not possible: is there a way to workaround this?
Thank You!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: is it possible to bind CCD configuration to host certificate in dual factor auth?

Post by TinCanTech » Thu Jan 11, 2018 12:36 pm

CCD files are bound to the common_name of the certificate.

ienaxxx
OpenVpn Newbie
Posts: 2
Joined: Thu Jan 11, 2018 11:25 am

Re: is it possible to bind CCD configuration to host certificate in dual factor auth?

Post by ienaxxx » Wed Jan 24, 2018 9:32 am

Hi TinCanTech.
Unfortunately, I think it's only true when you are using the certificate to authenticate INSTEAD of username and PW.
I tried to create a filename with the common name of the cert. but it simply doesn't work.

Is there anything i should check to verify openvpn is working the correct way?

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: is it possible to bind CCD configuration to host certificate in dual factor auth?

Post by TiTex » Wed Jan 24, 2018 12:22 pm

see if --username-as-common-name option does what you want

Post Reply