Personal tools
You are here: Home support WiKID Documentation Center Integration How-tos Using WiKID Strong Authentication with OpenVPN

Using WiKID Strong Authentication with OpenVPN

This How-to applies to: WiKID Strong Authentication Server Enterprise Edition
This How-to is intended for: System Administrator, Developer-Integrator

How to configure OpenVPN to use WiKID Strong Authentication

These instructions will help you use WiKID Strong Authentication withOpenVPN on Linux.

  • Configure your Linux box via PAM to use TACACS+ and WiKID for SSH Authentication or PAM RADIUS
  • Install OpenVPN according to their excellent howto

  • You will want to configure the server side to use an alternate authentication method, just add this to server.conf file (verify the location of openvpn-auth-pam.so):
    • plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
    If you want to drop the requirement for client certificates, add the following as well: 
    client-cert-not-required
username-as-common-name
  • Then, on the client, specify that the user enter a password by adding this to the client.conf or client.opvn:
    • auth-user-pass

    If you drop the requirement for client certificates on the server, you should also comment them out on the client:

    #cert client.crt
#key client.key

    Now you need to create the /etc/pam.d/openvpn file. It should only need two lines, one for authentication and one for account:

    auth       sufficient   /lib/security/pam_radius_auth.so debug
account    sufficient    /lib/security/pam_radius_auth.so

That is it!

The WiKID Strong Authentication System is a very reasonably priced two-factor authentication solution. We invite you to learn more about our technology and architecture and to download and test the Enterprise version.

TSL Reset

Posted by http://markhowells.pip.verisignlabs.com/ at Jan 28, 2009 01:59 PM
Very good guide, but OpenVPN will attempt to renegotiate the TLS keys every 3600 sec (by default). As this now involves a Radius call to WiKID for a one time passcode this will fail. This will guillotine (sp?) the connection every hour. One workaround is to add the line

   reneg-sec 43200

to your client config which will cause renegotiation every 12 hours (which was bearable for us)

Switch to tcp

Posted by http://markhowells.pip.verisignlabs.com/ at Jan 29, 2009 10:27 AM
Also, it's probably best to switch to TCP (rather than UDP) for similar reasons unless your link (client <-> server is absolutely guaranteed. If using UDP (connectionless) then any packets that are dropped can easily cause a connection restart and a subsequent call to wikid (which fails)

The TCP connection compensates for dropped packets resulting in fewer (zero) restarts.

As a sidenote, we also found that the default of 3 failed OTP attempts before the user is disabled can be used up completely by OpenVPN auto restart attempts...