Configuring OpenVPN Access Server with Cyberark/Idaptive MFA

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
dmutua
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 09, 2022 9:04 pm

Configuring OpenVPN Access Server with Cyberark/Idaptive MFA

Post by dmutua » Thu Jun 09, 2022 9:16 pm

We had configured Cisco Meraki Client VPN with Cyberark/idaptive MFA . We are now switching from Cisco Meraki Client VPN to Access Server and we want to configure OpenVPN with Cyberark/Idaptive MFA . Has anyone tried this before that could possibly point me in the right direction? I cannot seem to find any documentation about integrating the two.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Configuring OpenVPN Access Server with Cyberark/Idaptive MFA

Post by openvpn_inc » Fri Jun 10, 2022 6:06 am

Hello dmutua,

I have not dealt with that particular MFA solution myself yet, and I am pretty sure we do not have documentation for integration with that either. However, MFA being what it is, there are only so many solutions for it. And one of them is called TOTP, or Time-based One Time Password. This is used by several major identity and credential management systems, such as for example Google with their Google Authenticator app, or Azure and Microsoft 365 with their Microsoft Authenticator app. It's a standard that a lot of systems adhere to, including Access Server. In Access Server you can enable TOTP MFA in the authentication settings page (previously referred to as Google Authenticator MFA). Once this is enabled you are expected to enroll a user on the Access Server web interface and put the secret on a device or program that generates TOTP codes. Logging in afterwards will require a TOTP MFA code.

I see in documentation of Cyberark themselves that they seem to support this use case in their app, where Access Server will ask for TOTP MFA codes and the Cyberark app can supply the codes.
https://docs.cyberark.com/Product-Doc/O ... n%7C_____4

If you're looking for another type of integration then please provide some details on how the authentication flow is expected to go.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

dmutua
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 09, 2022 9:04 pm

Re: Configuring OpenVPN Access Server with Cyberark/Idaptive MFA

Post by dmutua » Fri Jun 10, 2022 4:50 pm

Hello Johan,
Thanks for your response.We are aware of the built in TOTP solution but we wanted to implement MFA through Cyberrark/Idaptive to ensure uniformity since our users are currently using Cyberark/Idaptive MFA with other systems.Please take a look at below link
https://docs.cyberark.com/Product-Doc/O ... cshid=1482
(Provide only the second authentication factor for RADIUS clients)

Post Reply