add option on VyOS to authenticate using LDAP or RADIUS or Active Directory while connecting remotely via OpenVPN client. A desired feature of the functionality would be sustainability of the option with respect to image upgrades/updates.
- Difficulty level
- Hard (possibly days)
We do this a lot, having certificate + user auth for OpenVPN. Using this open VPN option, a custom auth script and extra packages:
openvpn-option "auth-user-pass-verify /config/auth/auth-ldap.pl via-file"
The LDAP auth requires these packages:
This is different but might be a little related - FoxPass publishes a one-line tweak to VyOS 1.0 to let them support two-factor authentication for IPSec VPN at https://foxpass.readme.io/docs/vyatta-vyos-ubiquity-vpn-clients
It would be nice to have this change possible via an option.
I think maybe we use openvpn dynamic challenge respons function for two factor auth.
Sms, email. etc.
Sample test config and python script
Edit: another example