Page 1 of 1

Use Windows Machine Account as an authentication option

Posted: Tue Feb 07, 2023 4:25 pm
by bp81
This would be a useful feature to me to use in conjunction with an always up / OpenVPN running as a service.

We have some industry and government rules we have to comply with, one of those is 2 factor authentication for anything that provides access to sensitive information or access to a network. For this reason, simple client certificate authentication running in the background will not be acceptable for compliance purposes, since that is a single factor of authentication. User VPN relying on AD credentials and a client certificate is acceptable, but requires user interaction to bring the tunnel up.

I'd like to see a way to use a domain joined machine's AD machine account as one factor of authentication, and then a client certificate as the second. Both of these could be used by a background VPN tunnel that comes up automatically without user intervention.

Re: Use Windows Machine Account as an authentication option

Posted: Mon Jun 03, 2024 4:56 pm
by BadIdea
I 2nd the requirements as it's also on my wish list.

Thank you

Re: Use Windows Machine Account as an authentication option

Posted: Sun Dec 15, 2024 3:47 am
by downdeep
There are lots of ways to authenticate the user (freeipa, motp, ldap, etc) but no ways to authenticate the machine!

Use GSSAPI to check if a client computer is part of an AD domain. If the client computer is not enrolled, no VPN. This doesn't require Windows, It does require that the server (Linux or otherwise) is part of the AD domain and is able to request service tickets from the AD KDC.

Only after the client is confirmed as being part of the AD domain can it then proceed to user authentication (potentially using RADIUS or some other MFA.)

Summary: support using Windows machine account as a pre-authentication step for the client that is a gating factor for user authentication being initiated.

Re: Use Windows Machine Account as an authentication option

Posted: Sun Dec 15, 2024 3:47 am
by downdeep
There are lots of ways to authenticate the user (freeipa, motp, ldap, etc) but no ways to authenticate the machine!

Use GSSAPI to check if a client computer is part of an AD domain. If the client computer is not enrolled, no VPN. This doesn't require Windows, It does require that the server (Linux or otherwise) is part of the AD domain and is able to request service tickets from the AD KDC.

Only after the client is confirmed as being part of the AD domain can it then proceed to user authentication (potentially using RADIUS or some other MFA.)

Summary: support using Windows machine account as a pre-authentication step for the client that is a gating factor for user authentication being initiated.