On Wed, Aug 3, 2016 at 5:35 PM, Michael Hicks <michaelhick...@gmail.com>
wrote:

> Greetings OpenVPN users,
>
> I’m having some trouble with openvpn using an auth plugin for DuoSecurity
> MFA.
> https://github.com/duosecurity/duo_openvpn
>
> server side
> OpenVPN 2.3.6 x86_64-sun-solaris2.11 [SSL (OpenSSL)] [LZO] [IPv6] built on
> Dec  5 2015
> library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09
>
> client side:
> OpenVPN 2.3.6 x86_64-apple-darwin13 [SSL (OpenSSL)] [LZO] [MH] [IPv6]
> built on Jun 17 2016
> library versions: OpenSSL 1.0.2h  3 May 2016, LZO 2.09
>
> I generated certificates using EasyRSA 3.0.1 and can see what the CN is
> set to
> openssl x509 -text -noout -in EasyRSA-3.0.1/pki/issued/triskaideka.crt
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 1 (0x1)
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: CN=foobiebletch
>         Validity
>             Not Before: Jul 28 19:35:34 2016 GMT
>             Not After : Jul 26 19:35:34 2026 GMT
>         Subject: CN=triskaideka
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>
> On the client side I’m supplying my username and pass via the
> auth-user-pass parameter with a file.
>
> On the server side I’m trying to use username-as-common-name so that the
> client supplied username parameter is used to auth against Duo instead of
> the cert CN.
>
> What seems to be happening is that OpenVPN is not setting the username as
> the common_name parameter.  With logging verbosity set to 7 I see this in
> the openvpn.log file demonstrating that the common_name is set to the
> connecting client’s hostname, and that it clearly also knows what the
> username is.
>


--username-as-common-name option does not change the common-name until
authenticated. So the duo plugin will see your common-name in the
certificate. I have no idea why duo decided to take the username from cert
CN instead of from the response to auth-user-pass.dialog.

Selva
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to