Multi-factor authentication (tls and ad auth using ldap)

woodie03 · June 10, 2019, 2:23pm

Hi, we have a vyos (VM) that acts as our gateway and with version of 1.1.8. We got it working to connect OpenVPN tunneling to our remote users, however, we think of more secure login from the remote users to our HQ, so we think of adding an additional feature which is to log in using active directory. I found these links and followed the steps: OpenVPN with 2-factors authentication && OpenVPN + AD + Group + cert however, when we run it, we received and error additional info: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 which is InvalidCredentials but I have checked username and password were right I also tried upnp (username@domainname.com) but got no luck in connecting it successfully. I tried to search using ldapsearch -b “” -s base * + but error came saying ldap_sasl_interactive_bind_s: Can’t contact LDAP server (-1). TIA

phillipmcmahon · June 11, 2019, 2:13pm

I think without sharing your config help will be hard to provide.

Additionally sounds more like an OpenVPN config issue with it connecting back to your AD.

Have a look at this link. Whilst not Vyos, the solution for EdgeOS might get you moving in the right direction.

https://community.ubnt.com/t5/EdgeRouter/Configure-OpenVPN-against-LDAP-in-EdgeOS/td-p/2041009

woodie03 · June 11, 2019, 2:34pm

Hi Sir, Thanks for the response.

yeah, sorry for incomplete info.

By the way, these are my configurations.

Vyos Gateway: OpenVPN - vtun2
openvpn vtun2 {
description “VPN - Remote Access Server”
encryption aes256
hash sha512
mode server
openvpn-option “–push dhcp-option DNS 10.0.3.2”
openvpn-option “–script-security 2 system”
openvpn-option duplicate-cn
openvpn-option “plugin /config/auth/openvpn-auth-ldap.so /config/auth/auth-ldap.conf”
openvpn-option “log-append /var/log/openvpn.log”
protocol udp
server {
domain-name <domain.name>
push-route 10.0.0.0/8
subnet 172.16.249.0/24
}
tls {
ca-cert-file /config/auth/openvpn_config/keys/ca.crt
cert-file /config/auth/openvpn_config/keys/<cert-file.crt>
dh-file /config/auth/openvpn_config/keys/dh2048.pem
key-file /config/auth/openvpn_config/keys/<cert-file.key>

auth-ldap.conf:

# LDAP server URL
URL ldap://10.0.3.2
# Bind DN (If your LDAP server doesn’t support anonymous binds)
#BindDN uid=Manager,ou=People,dc=example,dc=com
BindDN “CN=Domain Admins,CN=Users,DC=domain,DC=com”
# Bind Password
#Password SecretPassword
Password “OurBindPassword”

    # Network timeout (in seconds)
    Timeout         15

# Base DN BaseDN "DC=domainame,DC=com"

    # User Search Filter
    SearchFilter    "(sAMAccountName=%u)"

    # Require Group Membership
    RequireGroup    false

c-po · June 15, 2019, 10:52am

I use OpenVPN and LDAP auth since VyOS 1.1.7 (it is infact broken in 1.1.8 due to a missing library). It works as intended in 1.2.1 and I will update the documentation the next couple of days. Bit it is like the above mentioned snipped.

c-po · June 15, 2019, 10:31pm

Documentation updated: https://vyos.readthedocs.io/en/latest/vpn/openvpn.html#ldap-authentication

woodie03 · June 16, 2019, 12:40pm

Hi Sir, Thanks for the information, I will try the link you’ve posted.