Use Windows Machine Account as an authentication option

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
bp81
OpenVpn Newbie
Posts: 4
Joined: Tue Aug 10, 2021 3:14 pm

Use Windows Machine Account as an authentication option

Post by bp81 » Tue Feb 07, 2023 4:25 pm

This would be a useful feature to me to use in conjunction with an always up / OpenVPN running as a service.

We have some industry and government rules we have to comply with, one of those is 2 factor authentication for anything that provides access to sensitive information or access to a network. For this reason, simple client certificate authentication running in the background will not be acceptable for compliance purposes, since that is a single factor of authentication. User VPN relying on AD credentials and a client certificate is acceptable, but requires user interaction to bring the tunnel up.

I'd like to see a way to use a domain joined machine's AD machine account as one factor of authentication, and then a client certificate as the second. Both of these could be used by a background VPN tunnel that comes up automatically without user intervention.

User avatar
BadIdea
OpenVpn Newbie
Posts: 2
Joined: Mon Jun 03, 2024 3:13 pm

Re: Use Windows Machine Account as an authentication option

Post by BadIdea » Mon Jun 03, 2024 4:56 pm

I 2nd the requirements as it's also on my wish list.

Thank you

downdeep
OpenVpn Newbie
Posts: 2
Joined: Sun Dec 15, 2024 3:39 am

Re: Use Windows Machine Account as an authentication option

Post by downdeep » Sun Dec 15, 2024 3:47 am

There are lots of ways to authenticate the user (freeipa, motp, ldap, etc) but no ways to authenticate the machine!

Use GSSAPI to check if a client computer is part of an AD domain. If the client computer is not enrolled, no VPN. This doesn't require Windows, It does require that the server (Linux or otherwise) is part of the AD domain and is able to request service tickets from the AD KDC.

Only after the client is confirmed as being part of the AD domain can it then proceed to user authentication (potentially using RADIUS or some other MFA.)

Summary: support using Windows machine account as a pre-authentication step for the client that is a gating factor for user authentication being initiated.

downdeep
OpenVpn Newbie
Posts: 2
Joined: Sun Dec 15, 2024 3:39 am

Re: Use Windows Machine Account as an authentication option

Post by downdeep » Sun Dec 15, 2024 3:47 am

There are lots of ways to authenticate the user (freeipa, motp, ldap, etc) but no ways to authenticate the machine!

Use GSSAPI to check if a client computer is part of an AD domain. If the client computer is not enrolled, no VPN. This doesn't require Windows, It does require that the server (Linux or otherwise) is part of the AD domain and is able to request service tickets from the AD KDC.

Only after the client is confirmed as being part of the AD domain can it then proceed to user authentication (potentially using RADIUS or some other MFA.)

Summary: support using Windows machine account as a pre-authentication step for the client that is a gating factor for user authentication being initiated.

Post Reply