This would be a useful feature to me to use in conjunction with an always up / OpenVPN running as a service.
We have some industry and government rules we have to comply with, one of those is 2 factor authentication for anything that provides access to sensitive information or access to a network. For this reason, simple client certificate authentication running in the background will not be acceptable for compliance purposes, since that is a single factor of authentication. User VPN relying on AD credentials and a client certificate is acceptable, but requires user interaction to bring the tunnel up.
I'd like to see a way to use a domain joined machine's AD machine account as one factor of authentication, and then a client certificate as the second. Both of these could be used by a background VPN tunnel that comes up automatically without user intervention.
Use Windows Machine Account as an authentication option
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Aug 10, 2021 3:14 pm
- BadIdea
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jun 03, 2024 3:13 pm
Re: Use Windows Machine Account as an authentication option
I 2nd the requirements as it's also on my wish list.
Thank you
Thank you
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Dec 15, 2024 3:39 am
Re: Use Windows Machine Account as an authentication option
There are lots of ways to authenticate the user (freeipa, motp, ldap, etc) but no ways to authenticate the machine!
Use GSSAPI to check if a client computer is part of an AD domain. If the client computer is not enrolled, no VPN. This doesn't require Windows, It does require that the server (Linux or otherwise) is part of the AD domain and is able to request service tickets from the AD KDC.
Only after the client is confirmed as being part of the AD domain can it then proceed to user authentication (potentially using RADIUS or some other MFA.)
Summary: support using Windows machine account as a pre-authentication step for the client that is a gating factor for user authentication being initiated.
Use GSSAPI to check if a client computer is part of an AD domain. If the client computer is not enrolled, no VPN. This doesn't require Windows, It does require that the server (Linux or otherwise) is part of the AD domain and is able to request service tickets from the AD KDC.
Only after the client is confirmed as being part of the AD domain can it then proceed to user authentication (potentially using RADIUS or some other MFA.)
Summary: support using Windows machine account as a pre-authentication step for the client that is a gating factor for user authentication being initiated.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Dec 15, 2024 3:39 am
Re: Use Windows Machine Account as an authentication option
There are lots of ways to authenticate the user (freeipa, motp, ldap, etc) but no ways to authenticate the machine!
Use GSSAPI to check if a client computer is part of an AD domain. If the client computer is not enrolled, no VPN. This doesn't require Windows, It does require that the server (Linux or otherwise) is part of the AD domain and is able to request service tickets from the AD KDC.
Only after the client is confirmed as being part of the AD domain can it then proceed to user authentication (potentially using RADIUS or some other MFA.)
Summary: support using Windows machine account as a pre-authentication step for the client that is a gating factor for user authentication being initiated.
Use GSSAPI to check if a client computer is part of an AD domain. If the client computer is not enrolled, no VPN. This doesn't require Windows, It does require that the server (Linux or otherwise) is part of the AD domain and is able to request service tickets from the AD KDC.
Only after the client is confirmed as being part of the AD domain can it then proceed to user authentication (potentially using RADIUS or some other MFA.)
Summary: support using Windows machine account as a pre-authentication step for the client that is a gating factor for user authentication being initiated.