Step 1: Complete
the prerequisitesOpenVPN is a virtual private network system to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. See https://www.openvpn.net. You can protect access to OpenVPN by integrating OpenVPN with Identity as a Service. Once integrated, users can use single sign-on to log in to their OpenVPN account through Identity as a Service.
Note: This integration was tested using Identity as a Service version 5.33 and a trial OpenVPN version. Other versions of OpenVPN may require integration and configuration steps that differ from those documented in this procedure. In the event of other issues, contact support@entrust.com for assistance
Before you begin, open two browser windows. In one window, log in to your OpenVPN administrator account. In the other window, log in to your IDaaS administrator account.
Step 1: Complete
the prerequisitesTo complete this integration, you must do the following before you begin the integration:
1. Create and configure a Gateway.
2. Make note of the following:
● Gateway IP address
● Gateway shared secret (password)
Step 2: Configure
OpenVPN for Identity as a Service authentication1. Log in to OpenVPN as an administrator. The Status Overview page appears.
2. Expand User Management and select User Permissions. The User Permissions page appears.
3. Click More Settings select the IDaaS username for your integration admin account, for example, IDaaSuser. The User Permissions page updates to display the configuration settings.
4. Set the Configure user authentication method to RADIUS.
5. Set the TOPT-based Multi-Factor Authentication to the Default.
6. Set IP Addressing to Use Dynamic.
7. Set the Access Control to Use Nat.
8. Set the Allow Access From to all other VPN clients.
9. Set the VPN gateway to No.
10. Set the DMZ settings to No.
11. Click Save Settings.
12. Restart the VPN server, as follows:
a. In the menu pane, expand Status and select Status Overview. The Status Overview page appears.
b. Click Stop VPN services.
c. Click Confirm Stop on the confirmation prompt.
d. Click Start VPN services.
13. In the menu pane, click Authentication > RADIUS. The RADIUS page appears.
14. Open a text editor and copy the IP address in the Hostname or IP Address field. You need this value for Step 3: Add OpenVPN to Identity as a Service.
15. In the Shared Secret field, enter the shared secret that is shared with IDaaS.
16. Make note of the Authentication Port and Accounting Port. You need these in Step 3: Add OpenVPN to Identity as a Service.
17. Scroll to RADIUS Authentication Method and set PAP to Yes.
18. Click Save Settings.
19. Restart the VPN server, as follows:
a. In the menu pane, expand Status and select Status Overview. The Status Overview page appears.
b. Click Stop VPN services.
c. Click Confirm Stop on the confirmation prompt.
d. Click Start VPN services.
Step
3: Add OpenVPN to Identity as a ServiceIntegrate OpenVPN with Identity as a Service
1. Log in to Identity as a Service.
2. Click
> Security > Applications. The Add
Applications page appears.
3. Click Add. The Select an Application Template page appears.
4. Under RADIUS and VPN Integrations, click OpenVPN..
5. In the Application Name field, enter a name for your RADIUS client.
6. Enter a Description for your application.
7. Optional. Add an application logo:
a. Click 
next
to Application Logo. The Upload Logo dialog
box appears.
b. Click 
to select an image file to upload.
c. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.
d. If required, resize your image.
e. Click OK
8. Click Next. The General page appears.
9. In the Hosts field, click Add to add the host IP address that you copied in Step 2: Configure OpenVPN for Identity as a Service authentication. The RADIUS agent receives the request on this host.
Note: If you enter multiple host names, separate each one with a comma but do not leave any spaces between them. Multiple host names indicates that the RADIUS application is running multiple replicas on multiple hosts.
10. In the Port field, enter the port on which the RADIUS agent accepts messages, enter 1812.
Attention: The RADIUS agent
uses the host name that sent a request and the port number that it
received the request from to determine which RADIUS application made
the request. Because of that:
–Two RADIUS applications with the same port value cannot share any
host names.
–Two RADIUS applications that have one or more matching host names
must have different port values.
11. In the Shared Secret field, enter the shared secret that you copied in Step 2: Configure OpenVPN for Identity as a Service authentication.
12. From the Select RADIUS Agent drop-down list, select the name of the Gateway containing the RADIUS agent to OpenVPN will be assigned.
13. Optional: From the Select RADIUS Attribute for IP Address drop-down list, select TUNNEL-CLIENT-ENDPOINT (66).
14. Set the Challenge Response Queue Max Time to 180, to set the number of seconds that the RADIUS agent waits for a response to first-factor authentication.
15. In the Challenge Response Queue Max Size field, set the maximum number of second-factor challenge requests allowed in the queue of your RADIUS application. The default value is 1000 requests. The maximum value is 10,000.
16. In the Request Cache Timeout field, set the number of seconds to cache requests. The default value is 10 seconds.
17. From the Character Set drop-down list, select the character set used to decode and encode string values (including the user ID and password values) in RADIUS messages. The options are UTF-8 and ISO-8859-1.
18. Optional: Select Log RADIUS messages to enable RADIUS message logging. When enabled, messages for the RADIUS agent are logged to the same log file as the gateway logs.
19. Optional. Enable the Authentication Settings:
a. Select When authenticating the user will be asked to select their second-factor authenticator. When selected, after the user responds to the first-factor challenge, they are prompted to select their second-factor authenticator. The list of available second-factor authenticators is set by the resource rule.
The following is a list of supported strings matched to the authentication types:
– Grid: grid
– Knowledge-based Authentication: kba
– One-time password: email, sms, voice
– Smart Credential Push: scpush
– Temporary Access Code: tac
– Token: token
– Token push: push
b. Select Indicate if requests must include the message-authenticator attribute for outgoing messages to include the message-authenticator attribute for outgoing messages.
20. Leave all other settings at the default values.
21. Click Submit.
Step 4: Protect
OpenVPN with a resource rule● Resource rules for RADIUS applications only include the Date / Time, Geolocation and Source IP Address condition restriction.
● The Authentication Decision steps that you can select for a RADIUS application resource rule depend on whether the RADIUS application uses EAP RADIUS authentication.
● If the settings of a RADIUS application on Identity as a Service are modified so that the application uses EAP RADIUS authentication, or the type of EAP protocol used is changed, the resource rule associated with the RADIUS application is automatically updated.
● RADIUS applications with no EAP support the following second-factor authenticators: knowledge-based authentication, temporary access code, one-time password, grid, hardware/software token, token push, and smart credential push.
● RADIUS applications with RADIUS MSCHAPv2 support only temporary access code and hardware/software token second-factor authenticators.
● When creating a resource rule for a RADIUS application, you can select EXTERNAL+no second-factor.
● RADIUS applications with RADIUS GTC support the following second-factor authenticators: software/hardware token, one time password, grid, temporary access code, knowledge-based authentication.
Create a resource rule to protect access to a RADIUS application
1. Log in to your Identity as a Service administrator account.
2. Click
> Security
> Resource Rules. The Resource Rules List
page appears.
3. Click + next to the application you want to protect with a resource rule. The Add Resource Rules page appears.
4. Enter a Rule Name and Rule Description for the resource rule.
5. In the Groups list, select the group or groups of users restricted by the resource rule.
These are the groups to which the resource rule applies. If you do not select any groups, by default the resource rule applies to all groups.
Attention: You must maintain the default of all groups if you want to allow external authentication and bypass second-factor authentication for users who do not already exist in Identity as a Service. External Authentication without second-factor is only available to low risk users of RADIUS applications that support External Authentication.
6. Click Next. The Authentication Conditions Settings page appears.
7. If you do not Enable Advanced Risk Factors, do the following:
a. Select the Authentication Flow from the drop-down list. The Authentication Flow flowchart updates based on the selection.
b. Click Submit to save the Resource Rule.
8. If you want to Enable Advanced Risk Factors, complete the remaining steps in this procedure.
9. Select Enable Advanced Risk Factors to add additional risk factors to the resource rule.
10. Select Enable Strict Access for Application to set the resource rule to deny access regardless of the outcome from other resource rules. If this option is disabled for any resource rule that denies access, the user is allowed access if at least one resource rule allows access.
11. For each Advanced Risk Factor, click the Deny option to deny access to the application if the risk factor fails regardless of the results of the other risk factors.
12. Click Date/Time to set the conditions as follows:
a. Select one of the following:
– Allow Date/Time to set when a user can access the application.
– Deny Date/Time to set when the user cannot access the application.
The Date/Time Context Condition Settings appear.
b. Select the Condition Type:
– Specific Date Range Condition—Allows or denies access to the application during a select period of days.
– Time-of-day and/or Day of Week Recurring Conditions—Allows or denies access to the application on a specific time of day, day of the week, or both. Recurring times selected only apply to days not denied.
– Clear Selection—Clears existing Date and Time conditions.
c. Set the Condition Type settings, as follows:
i) Select Use local time zone to use the local time zone or deselect Use local time zone to use the local time zone and begin typing the time zone in the Begin Typing Timezone name field and select the time zone from the drop-down list.
ii) If you selected Specific Date Range Condition, click Start Date to select a start date from the pop-up calendar. Optionally, select the End Date.
iii) If you selected Time-of-Day and/or Day-of-Week, click Start Time and select the start time from the pop-up clock. Optionally set the End Time. You must also select the days of the week for the condition.
d. Click Save to return to the Authentication Conditions Settings page.
13. Click Geolocation to set the Location Condition Settings, as follows:
a. Select Allow or Deny to create an allowed or denied country list.
b. From the Selected Countries drop-down list, select the countries to add or deny access to the application. Repeat until you have added all the desired countries to the list.
c. Select Allow Anonymous IP Address to increase the risk of users authenticating from an anonymous IP.
d. Click Save to save to return to the Authentication Conditions Settings page.
14. Click Source IP Address. The IP Address Risk Setting dialog box appears. Do one of the following:
a. Select Custom and add the required IP Allowed Addresses and IP Denied Addresses.
b. Select IP List Address and select the IP List to allow or deny.
c. Select None to not restrict any IP addresses.
d. Click OK to return to the Authentication Conditions Settings.
15. Define the Location History / Known Locations and Travel Velocity conditions.
The Risk-Based Authentication (RBA) settings of your Identity as a Service account define the location history and travel velocity conditions. See Manage risk-based authentication settings for more information.
16. Set the risk score for application conditions to set the risk percentage a user receives if they fail to meet the condition, as follows:
● Click the dot next to the condition setting and slide the risk scale to the risk percentage
-or-
● Click the 0% and enter the risk points and then click OK.
The default setting is 0%. The Risk percentage determines the authentication requirements as set by the Authentication Decision. When a user attempts to authenticate to an application, the final risk percentage is the sum of all failed conditions.
17. Set the Authentication Decision risk level for Medium Risk and High Risk as follows:
a. Click the risk threshold percentage to the right of Medium Risk or High Risk. The Risk Threshold dialog box appears.
b. Enter the risk percentage.
c. Click OK.
18. Select the Authentication Flows for Low Risk, Medium Risk, and High Risk from the drop-down lists. The Authentication Flows flowchart updates based on your selections.
19. Click Submit to create the resource rule.
Step 5: Test
the integration1. Open a Web browser and enter the URL for your OpenVPN client UI.
2. Log in with your username and password and then click Sign-in.
3. You are prompted to select your second-factor authentication method.
4. In the blank field, type your second-factor authentication method. For example, type grid.
5. Click Continue.
6. Enter the second-factor challenge response, for example, the grid coordinates.
7. Click Continue. The OpenVPN Access Server page appears.
8. Click
the 
icon. The openvpn-connect.3.4.0.3121_signed.msi
file downloads.
9. Install the file.
10. Navigate to your desktop and open the OpenVPN Connector. The Profiles page appears.
11. Toggle to Connect.
12. Enter the required credentials.
13. Respond to the second-factor authentication challenge.
14. Click Send. You are connected to OpenVPN.