[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: OpenVPN + RADIUS??

  • Subject: [Openvpn-users] Re: OpenVPN + RADIUS??
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Fri, 10 Dec 2004 15:56:12 -0600

On Fri, 10 Dec 2004 16:27:10 -0500, Andreas Iwanowski wrote:

> However, when used in server mode, the certificate base approach is not
> very scalabe.

How is it not?

OpenVPN is very far from the only VPN solution to use certificates for
authentication -- almost all of them do, at least optionally. Because the
server doesn't need to have a list of accepted certificates, there's no
server administration needed to add a client; one only needs to have a CA
and a process for providing new certificates to users (and revoking
certificates issued to older users) as appropriate. Further, there are a
number of available tools for automating exactly this process (EJBCA is
onesuch, but there are many more).

> Is there a way to use RADIUS for authentication?

You could use auth-user-pass / auth-user-pass-verify and
client-cert-not-required, and have the auth-user-pass-verify script talk
to a RADIUS server. However, this is not recommended from a security

> How would the data then be encrypted?

My understanding is that after authentication is done, a diffie-hellman
key exchange is used to decide on the session keys regardless of the
mechanism used for initial authentication. I'm not the expert, though.

Openvpn-users mailing list