Hello Selva, hello all,
If you are using OpenVPN-GUI for Windows, looks like a bug. I guess,
by text window, you mean the challenge-response dialog that the GUI
pops up for 2FA.
Yes exactly.
Username is first input in the username/password dialog and that seems
to succeed with the backslash in it. You should be able to see that
the username is passed to management with the backslash replaced by
"\\" (escaped). Then the challenge response dialog is shown when
AUTH_FAILED with challenge is received where the user types the
response. In that round the username is submitted again and that seems
to be failing. Looks like a bug in the GUI -- we are not expanding the
string when submitted from that dialog. generally we use
ManagementCommandFromInput() to submit user input and that does the
escaping, but for this username which is not input by user but passed
in by the server, we send it directly without escaping. Will fix if
that is indeed the case.
This sounds like a perfect description of what I am seeing. I can send
you complete logs off-list.
As a quick fix, username@domain instead of domain\username may
work with your server.
Sadly no, the authentication is passed back by the embedded openvpn
server to the WatchGuard Auth engine, which seems to choke one verything
but "\" .
This is no problem when you have just one authentication method, as then
you just specify the username. But when using AD directly as well as the
2FA servive "AuthPoint", in a transition period, you cannot do this with
the OpenVPN client as you would prepend the AD domain or the "authpoint"
domain to the username, which then leads to the error in the second auth
round.
Best regards, Jakob Curdes
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
