Active Directory Auth, OpenVPN and client specific overrides for static IP



  • Hello,
    I have run into a security related issue that sort of surprised me a few days ago, that I need I'm not on how to best solve.

    We have openVPN set-up with some client specific overrides, pushing static user specific addresses to users. User specific rules are then set-up for every user's IP-address to grant access to specific servers (mainly used for consultants that need access to single machines only).

    General setup:

    • Active directory for user authentication.
    • Strict User-CN Matching is enforced.
    • The client specific override is supposed to apply when user's login name = user certificate's common name.

    Example:
    User certificate with common name peter (all lowercase)

    Scenario A (OK):

    • User logs in with only lowercase letters (peter)
    • Authenticated OK by active directory
    • client specific override working as expected since common name is same as login name.
    • User receives correct IP-address -> user specific firewall rules will be applied.

    Scenario B (NOT OK):

    • User log in with a mix of lowercase and uppercase (e.g. PetER).
    • Authenticated OK by active directory since username is case insensitive in AD.
    • Client specific override is NOT applied. I assume since the common name/login name comparison is case sensitive.
    • User receives incorrect IP-address (from general pool) -> No user specific firewall rules are applied (which can result in both to much or to little access for Peter…)

    To me it seems that there is a mismatch in when strict case sensitivity is applied or not. Active directory is case insensitive for authentication and it seems that "User-CN Matching" is as well, but client specific override is not?

    Perhaps I've missed something obvious or perhaps there are better ways to handle client specific rules, but from what I've read this is how it is usually done.

    Thanks,
    Lars

    Pfsense 2.3.2-RELEASE-p1


  • Rebel Alliance Developer Netgate

    Sounds like you need to fix your authentication server to reject improper usernames.

    OpenVPN doesn't have a concept of the names being case insensitive, so the fault here is on the authentication server side.

    You might be able to fudge it by making an override for every client and then using ccd-exclusive in the advanced options, which will reject anyone that logs in if they do not have an override entry that matches their name.


  • Rebel Alliance Developer Netgate

    Actually, there is another alternative: If all you are doing is setting a static address you could also do that in the RADIUS server by having it pass back a specific reply attribute (Framed-IP-Address) with the parameters to be used by the client.



  • Thanks for your suggestions. I'll look into both options (I don't use a Radius server today however).  every client might not be huge problem and worthwhile if it works.

    I don't think I can fix the authentication server though. AD is case insensitive by definition and design as far as I know, when it comes to user login names.

    "OpenVPN doesn't have a concept of names being case insensitive": But nevertheless, strict "User-CN Matching" does not bother about case, while common name matching in client overrides does, so in that sense it is not consistently handled it seems..

    Thanks!