Welcome, Guest. Please login or register.
Did you miss your activation email?
Wednesday 18 December 2024, 11:25:27 pm

Login with username, password and session length

Visit the official Endian Community Mailinglist  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  Anyone get Two-Factor working in 2.3?
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Anyone get Two-Factor working in 2.3?  (Read 17224 times)
fackler
Jr. Member
*
Offline Offline

Posts: 6


« on: Friday 19 February 2010, 01:56:19 am »

I am trying to get two-factor authentication going on a 2.3 install.  We currently have two-factor auth working on a release 2 (c) EFW.  Now I am trying to set up a new machine with EFW release 2.3-0 (Deployset #0) and get the two factor auth working there.  I can VPN to the new 2.3 EFW with PSK but not the X.509 or X.509 & PSK options.  I have used the same files that are currently working on the 2(c) EFW, transferring them to the new EFW by running:

/usr/bin/openssl pkcs12 -export -inkey hostkey.pem -in hostcert.pem -certfile cacert.pem -out pkcs12.p12 -nodes

And then copying pkcs12.p12, cacert.pem and dh1024.pem to the new EFW /var/efw/openvpn

But this hasn't worked.  I have even created a whole new CA, server cert/key and client certs/keys packaged into pkcs12 and imported to the new EFW, but that hasn't worked.  

So the question is: has ANYONE actually gotten two factor authentication working on 2.3?

http: // docs.endian.com/ vpn.html#advanced leaves out a few details.

Logged
mnicolazzo
Jr. Member
*
Offline Offline

Posts: 8


« Reply #1 on: Friday 19 February 2010, 04:02:47 am »

Yes, it worked for me.

I created my CA and certificates, installed dh1024.pem and certificates on the server,
BUT I also needed to modify /etc/openvpn/openvpn.conf.tmpl template file.
I commented out the following line:

ns-cert-type client

by adding a '#' at the beginning of the line.

I think that the self-generated certificate for the client has not the 'client' flag set and thus is refused by the server with the default configuration.

After modifying the template file, save your current configuration from the web GUI, to propagate the change made in the template to the live openvpn.conf file, and try to connect again.

Logged
fackler
Jr. Member
*
Offline Offline

Posts: 6


« Reply #2 on: Friday 19 February 2010, 04:51:05 am »


mnicolazzo you rock.  That worked.  So I guess the root of the problem is that I was trying to use client certs that didn't have the client flag set.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.063 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com