How to configure OpenVPN to use WiKID Strong Authentication

Want to support HowtoForge? Become a subscriber!
 
Submitted by nowen (Contact Author) (Forums) on Wed, 2007-01-03 14:05. :: Security | Security

How to configure OpenVPN to use WiKID Strong Authentication 

These instructions describe setting up two-factor authentication with WiKID Strong Authentication, which is a commercial/open source two-factor authentication system and OpenVPN, an SSL-encrypted VPN, on a Linux server using the Radius Pluggable Authentication Module.. First, we will configure PAM to use Radius, then we will configure OpenVPN to use PAM and one-time passwords, then we will create a network client on the WiKID server for OpenVPN. We won't go into specifics about installing these services, rather we will focus on configuring them to all work together.

Configuring PAM

First, you need to install PAM Radius. There is excellent documentation on this at the PAM Radius home page. Depending on your distribution, you might also be able to find a suitable binary.

Edit /etc/pam.d/sshd to allow Radius authentication:

vi /etc/pam.d/sshd

Go to the second line of the file, hit the Insert key or the i key and insert this line:

auth     sufficient   /lib/security/pam_radius_auth.so 

just above this line:

auth     required     pam_stack.so service=system-auth

The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use "Required" to require strong authentication. Because we are only editing the sshd file, it will not affect terminal log-ins.

Write the file and quit. Hit the Esc key to exit insert mode and type “:wq

Edit or create your /etc/raddb/server file:

vi /etc/raddb/server

Below the line:

127.0.0.1   secret        1

Add this line, substituting the IP Address of the WiKID server:

routableIPaddress   shared_secret     1

Later, we will configure a network client on the WiKID server to talk to the PAM module. First, let's configure OpenVPN to talk to the PAM module.

Configuring OpenVPN for two-factor authentication

OpenVPN is an excellent open-source VPN solution. While it supports certificates out of the box, you may need true two-factor authentication for regulatory requirements or you may prefer an easier to manage solution or you may need one-time passwords for a non-VPN system, such as SSH or webmail. Luckily, OpenVPN is easily configured to support one-time passwords.

Install OpenVPN according to their excellent how-to.

You will want to configure the server side to use an alternate authentication method, just add this to server.conf file (verify the location of openvpn-auth-pam.so):

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
If you want to drop the requirement for client certificates, add the following as well:
client-cert-not-required
username-as-common-name

Dropping the requirement for client certificates does not drop the tunnel encryption! It just means that individual client certificates for each user are not required. It also increases the scalability of the OpenVPN server.

Then, on the client, specify that the user enter a password by adding this to the client.conf or client.opvn:

auth-user-pass

If you drop the requirement for client certificates on the server, you should also comment them out on the client:

#cert client.crt
#key client.key

Configuring the WiKID Server

Now, we'll configure the WiKID server to process the one-time passwords from OpenVPN. We assume that you also need to set up a new WiKID domain. If you already have one, you may skip this part.

Log into the WiKID server and click on the Domains Tab

Click on Create a New Domain

Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 216.239.51.99, the WiKID server code would be 216239051099. Click "Create". (Obviously, if you already have a domain setup, you can skip this step.)

Click Network Clients tab and on "Create a new Network Client".

Enter the information requested. For the IP Address, use the IP address of the OpenVPN server. Select Radius and the domain you just created. Click "Add" when you're finished.

On the next page, enter the shared secret you entered in the /etc/raddb/server file of the OpenVPN server. Do not have to enter any information under "Return Attributes".

Important: From the WiKID terminal or via SSH, you will need to run "stop" and then "start" to load the new configuration into the WiKID Radius server.

Conclusion

That is it. You should now be able to log in to OpenVPN using a one-time passcode from your WiKID token client. Note that in this configuration, you also will be using WiKID for SSH. You might consider setting your OpenVPN server as an SSH gateway - require WiKID to login to SSH to this box, then allow the use of key authentication to other boxes on the network. Lock down those boxes to only allow access from the OpenVPN box and you have extremely secure SSH. For additional information on configuring WiKID, please visit our site.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.