On Wed, Aug 3, 2016 at 5:35 PM, Michael Hicks <michaelhick...@gmail.com> wrote:
> Greetings OpenVPN users, > > I’m having some trouble with openvpn using an auth plugin for DuoSecurity > MFA. > https://github.com/duosecurity/duo_openvpn > > server side > OpenVPN 2.3.6 x86_64-sun-solaris2.11 [SSL (OpenSSL)] [LZO] [IPv6] built on > Dec 5 2015 > library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09 > > client side: > OpenVPN 2.3.6 x86_64-apple-darwin13 [SSL (OpenSSL)] [LZO] [MH] [IPv6] > built on Jun 17 2016 > library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09 > > I generated certificates using EasyRSA 3.0.1 and can see what the CN is > set to > openssl x509 -text -noout -in EasyRSA-3.0.1/pki/issued/triskaideka.crt > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN=foobiebletch > Validity > Not Before: Jul 28 19:35:34 2016 GMT > Not After : Jul 26 19:35:34 2026 GMT > Subject: CN=triskaideka > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > > On the client side I’m supplying my username and pass via the > auth-user-pass parameter with a file. > > On the server side I’m trying to use username-as-common-name so that the > client supplied username parameter is used to auth against Duo instead of > the cert CN. > > What seems to be happening is that OpenVPN is not setting the username as > the common_name parameter. With logging verbosity set to 7 I see this in > the openvpn.log file demonstrating that the common_name is set to the > connecting client’s hostname, and that it clearly also knows what the > username is. > --username-as-common-name option does not change the common-name until authenticated. So the duo plugin will see your common-name in the certificate. I have no idea why duo decided to take the username from cert CN instead of from the response to auth-user-pass.dialog. Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users