OpenVPN Support Forum

Hello,

I'm currently using AS v2.8.5 with LDAP (MS Win Active Directory) as my default and only Authetication source. It is working flawslesly but now we are in the process of implementing MFA sequentially for these LDAP users.

For business reasons, our intention is to enable MFA in samml batches of users so we can grab feedback progresively as the user base using MFA grows.

For this purpose we will start with the Native AS TOTP MFA which by default can be only enabled for ALL/None users via the AdminGUI, or selectivey for specific users/groups from command line.

My question is how to approach this implementation considering we would like to have two Groups on our AD (LDAP Resolver), the existing one "VPN Users" for those employees with VPN access, and a new one to be created "MFA VPN Users" which will start getting user memebers being migrated to MFA. The problem is how to mimic this AD Group from the AS, since as far as I could investigate you can only enable MFA for groups locally defines in the AS, not the LDAP Resolver (AD).

One approach I thought off, could be to create a default group where all users land by default, and another one where users are added manually. Then enable this second one for MFA. Once all users are moved from the default group to the MFA group, we could eventually delete groups and enale MFA for everyone or just keep the groups for future use/MFA Rollback.

As a second effort, we would also like to move from native OVPN AS TOTP to Microsoft Authenticator using Push notifications. Would this be still possible to achieve the strategy mentioned above?

Any thoughts or ideas are much appreciated!

Hello nicolino,

I would suggest to upgrade to something newer like 2.11.3 and use the admin UI toggles that allow you to turn on/off MFA for users/groups individually.

Push notifications are not built into Access Server, but if the authentication backend supports it, you can do that. Again you might consider upgrading because newer versions can support multiple authentication methods side-by-side. So you could have a group that authenticates to LDAP, and another group that authenticates via SAML (which can have the push integration for example). Then you can migrate users over.

Kind regards,
Johan

Thank you Johan!! Upgraded to latest version and I can now manage my gorups and MFA selectively! Awesome!!!!

My issue now is, since users are LDAP and I won't see them in the AdminUI until they log in/connect for the first time, I cannot enable MFA for them by adding them to the MFA-enabled group until they connect for the first time and I see them in the UI, hence I'm in a situation where I need the user to login without MFA first, let me know after their first succesful connection, and not until then I'd be able to add them to the MFA group.

This doesn't scale really well because
1) because Im allowing them to connect the first time without MFA
2) we are talking about hundreds of users that will need to let me know they have connected for the first time, enabling me to bother them enforcing security with MFA ... not very likely they will be willing to collaborate on that

Any possible workaround on this?

I thought obout doing it the other way around, i.e. enabling MFA by default to everyone, and remove them from MFA after first connection, but even though it would be more secure, it would still require the user to interact with me for MFA removal. Also, I'd not be able to enable MFA in waves of small groups of users.

Another (definetely unwanted) option, would be to manually create the user permission on the UI, one by one, carefully checking casing... that way I can add them to the MFA group in advance and then after their first connection they will match the manually created user already added to the corresponding group. Again, I'd rather avoid this.

openvpn_inc wrote: ↑

Wed Feb 08, 2023 7:50 pm

I would suggest to upgrade to something newer like 2.11.3

BTW, I 'm on the Azure Marketplace OVPN AS image, that's why I was 2.8.5... thought it would be the latest release already and didn't even care to check myself

Hello nicolino,

If I understand you correctly, you want automated MFA enablement for new users but you don't want it for existing users.

To do that you could create a group that has MFA turned off, and assign existing users that do not do MFA yet there.

Then enable MFA by default on the entire server. So any new users would not be part of that MFA exception group and would need to do MFA.

You can move users out of the exception group when you are ready to have them enroll in MFA. Eventually this MFA exception group would be empty.

Kind regards,
Johan