These instructions will help you use WiKID Strong Authentication withOpenVPN on Linux.
- Configure your Linux box via PAM to use TACACS+ and WiKID for SSH Authentication or PAM RADIUS
- Install OpenVPN according to their excellent howto
- You will want to configure the server side to use an alternate authentication method, just add this to server.conf file (verify the location of openvpn-auth-pam.so):
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
- If you want to drop the requirement for client certificates, add the following as well:
client-cert-not-required username-as-common-name
- Then, on the client, specify that the user enter a password by adding this to the client.conf or client.opvn:
auth-user-pass
If you drop the requirement for client certificates on the server, you should also comment them out on the client:
#cert client.crt #key client.key
Now you need to create the /etc/pam.d/openvpn file. It should only need two lines, one for authentication and one for account:
auth sufficient /lib/security/pam_radius_auth.so debug account sufficient /lib/security/pam_radius_auth.so
That is it!
The WiKID Strong Authentication System is a very reasonably priced two-factor authentication solution. We invite you to learn more about our technology and architecture and to download and test the Enterprise version.
