[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

RE: [Openvpn-users] Re: OpenVPN + RADIUS??

  • Subject: RE: [Openvpn-users] Re: OpenVPN + RADIUS??
  • From: Andreas Iwanowski <namezero@xxxxxxxxx>
  • Date: Fri, 10 Dec 2004 23:05:48 -0500

Thank you for your answers.
I will consider using both.


-----Original Message-----
From: James Yonan [mailto:jim@xxxxxxxxx]
Sent: Friday, December 10, 2004 5:55 PM
To: Charles Duffy
Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] Re: OpenVPN + RADIUS??

On Fri, 10 Dec 2004, Charles Duffy wrote:

> On Fri, 10 Dec 2004 16:27:10 -0500, Andreas Iwanowski wrote:
> > However, when used in server mode, the certificate base approach is not
> > very scalabe.
> How is it not?
> OpenVPN is very far from the only VPN solution to use certificates for
> authentication -- almost all of them do, at least optionally. Because the
> server doesn't need to have a list of accepted certificates, there's no
> server administration needed to add a client; one only needs to have a CA
> and a process for providing new certificates to users (and revoking
> certificates issued to older users) as appropriate. Further, there are a
> number of available tools for automating exactly this process (EJBCA is
> onesuch, but there are many more).
> > Is there a way to use RADIUS for authentication?
> You could use auth-user-pass / auth-user-pass-verify and
> client-cert-not-required, and have the auth-user-pass-verify script talk
> to a RADIUS server. However, this is not recommended from a security
> perspective.
> > How would the data then be encrypted?
> My understanding is that after authentication is done, a diffie-hellman
> key exchange is used to decide on the session keys regardless of the
> mechanism used for initial authentication. I'm not the expert, though.

The advantage of using RADIUS with an auth-user-pass-verify script or
plugin is that the RADIUS client/server data traffic need never leave the
local LAN (this is important because the cryptographic security used in
the RADIUS protocol is weak).  The username and password entered by the
remote OpenVPN client would be sent over a secure SSL/TLS channel, and the
OpenVPN server would then act as a proxy to the actual RADIUS server.

It should be possible to do this now without writing any additional code
by using the auth-pam plugin in the OpenVPN server to do PAM
authentication, then setting up the PAM radius module to communicate with
the actual RADIUS server.

In general, it's considered insecure to grant VPN access with only a 
username/password as credentials.  While OpenVPN will permit this (with a 
warning), it would be better to combine username/password auth with 
certificates -- OpenVPN will support this.


Openvpn-users mailing list

Openvpn-users mailing list