SSL/TLS + User Auth = no client export packages
-
Quick question:
When I change server mode to SSL/TLS + User Auth, the client export package disappears. If I change it back to just User Auth, the export package is available. Is that by design? When I run the wizard, I don't have a server mode option.
I should add that I have tried deleting the ca, openvpn and firewall rules and I've tried to reinstall the client export packages.
Thanks,
Joschi -
It's there on mine. I would back up your config and reinstall PfSense. I'm using 2.2.3 64bit. But I was using 2.2.4 64bit and had no issue, I had to downgrade due to the fact that my clients wouldn't pick up dhcp assigned addresses until I restarted my box.
-
Hmm, I'm on the latest release. Did the wizard have the server mode option for you?
-
I don't have any issues with this.. running 2.2.4
You sure your picking the correct instance in the client export drop down for the one you set to tls+user auth?
-
I don't have any issues with this.. running 2.2.4
You sure your picking the correct instance in the client export drop down for the one you set to tls+user auth?
Yes I only have one created. Could certain options cause this to happen?
-
do you actually have a user created.. I just switched mine from tls auth to tls+user and see packages just fine to export. Exported the package and all the stuff is in there.
-
I'm using an LDAP server on my LAN to authenticate user. Do I still need to create a user in pfSense?
-
I'm using an LDAP server on my LAN to authenticate user. Do I still need to create a user in pfSense?
I'd like to add authentication functions correctly from diagnostics and from client.
-
well if you don't have a user, not sure how the export package could give you anything to download. Might a bit of an issue when trying to use an authserver?? I would have to test that..
-
well if you don't have a user, not sure how the export package could give you anything to download. Might a bit of an issue when trying to use an authserver?? I would have to test that..
A package is available and works correctly if I only use User Auth. It disappears when I change server mode to ssl/tls + user auth…
-
Ok I just setup an external auth server radius and one for ldap and then change one of my openvpn instances from tls to tls+user auth And sure looks like packages are there to download picking either the radius or the ldap server in the openvpn setup.
And also there if I use local database for the vpn instance.
-
If you use SSL/TLS + User Auth with an external auth server, you need to manually make user certs under System > Cert Manager.
It will offer the certs under the same CA there for download, ideally make one cert per user with the cn the same as their username.
-
If you use SSL/TLS + User Auth with an external auth server, you need to manually make user certs under System > Cert Manager.
It will offer the certs under the same CA there for download, ideally make one cert per user with the cn the same as their username.
Ah okay. That worked. Thanks. So the cert used for SSL/TLS + User Auth is tied to a user and that user cert has to be added in pfSense. Is this common practice when using external auth server? Or do most forgo the cert to avoid having to create a user Cert in pfSense for each user with openVPN access (could be hundreds)?
Thank you for your time,
Joschi -
What other cert would it use?? You could use a common cert that you give to ALL users.. That seems like what your after.. But not a very good idea.
-
So the cert used for SSL/TLS + User Auth is tied to a user and that user cert has to be added in pfSense.
Usually, yes. Though the specifics are up to the site policies/procedures.
Is this common practice when using external auth server? Or do most forgo the cert to avoid having to create a user Cert in pfSense for each user with openVPN access (could be hundreds)?
It depends on the site/admin. Some prefer to only have user auth with an external LDAP/RADIUS server and forego using certs at all.
Using one cert for everyone is a very bad practice, I don't know of anyone serious doing that in production.
Those who are very strict about security generate their own certs on a central CA structure not handled on the firewall and wouldn't use the export package – but that's your classic security vs convenience tradeoff.
The best balance for external auth is to make the individual user certs, make the cert CN match the username, and also check the option on the server for strict CN matching (that way user A can't use user B's certificate to login using their own credentials, or vice versa).
-
So the cert used for SSL/TLS + User Auth is tied to a user and that user cert has to be added in pfSense.
Usually, yes. Though the specifics are up to the site policies/procedures.
Is this common practice when using external auth server? Or do most forgo the cert to avoid having to create a user Cert in pfSense for each user with openVPN access (could be hundreds)?
It depends on the site/admin. Some prefer to only have user auth with an external LDAP/RADIUS server and forego using certs at all.
Using one cert for everyone is a very bad practice, I don't know of anyone serious doing that in production.
Those who are very strict about security generate their own certs on a central CA structure not handled on the firewall and wouldn't use the export package – but that's your classic security vs convenience tradeoff.
The best balance for external auth is to make the individual user certs, make the cert CN match the username, and also check the option on the server for strict CN matching (that way user A can't use user B's certificate to login using their own credentials, or vice versa).
Thank you for your time and expertise. I do appreciate the explanation. 8)
-
What would be great would be for OpenVPN to grab the users public key out of the LDAP directory so it wouldn't need a user in pfSense at all.
But you'd need another system (could be offline) that had the users public and private keys in order to use client export.
-
What would be great would be for OpenVPN to grab the users public key out of the LDAP directory so it wouldn't need a user in pfSense at all.
But you'd need another system (could be offline) that had the users public and private keys in order to use client export.
That would be nice!
-
Unfortunately LDAP schemas vary widely so it would be tough to pull something like that off. Not sure I like the idea of fetching a client's private keys via LDAP either, but as long as LDAP is using SSL itself it may not be too bad. The problem then becomes finding a way to query the LDAP server in such a way that it can get a list of all users with certs/keys available. Gets ugly fast…
