Tweet
Hi--
If this feature already exists, I would appreciate it if you pointed me to a how-to. As far as I can tell, it does not exist yet.
Currently, I am successfully testing OpenVPN in this topology:
on-premises Ubuntu LINUX server running Ubuntu 22-packaged OpenVPN Community 2.5.11 server and patched OpenVPN-Community RADIUS plugin
on-premises Microsoft Windows Active Directory domain controller running Microsoft NPS server as the RADIUS server and NPS Extension to connect to Microsoft Entra ID MFA in the cloud
in-cloud Microsoft Entra ID MFA
Microsoft Authenticator app on end user smartphones
Windows 10/11 PCs running OpenVPN Community 2.6.12 as clients on end user laptops
This whole setup works with Microsoft Authenticator in Approve/Deny mode. But, to get it to work, I had to turn off the new "number matching" mode per this Microsoft knowledgebase article:
Are there any plans to someday add the two-digit number-matching capability to OpenVPN GUI in client mode? Typically, number matching is done through the web browser after being required to log in to login.microsoftonline.com or equivalent. But as I understand it, eventually, VPN clients would natively show the two-digit number to the end user, who would then pick out the two-digit number from their Microsoft Authenticator on their phone. The intention is to prevent the end user from accidentally or being tricked into pressing Approve for an MFA request generated by a hacker whose screen they cannot possibly see. Put simply, the two-digit number matching is better at resisting social engineering hacks and is more convenient for end users--I think it will take off in popularity and become commonplace soon.
As I understand it, this capability would require major changes to OpenVPN since the two-digit code would have to be pushed to the client to be shown in the GUI or a web browser opened to go to Microsoft's two-digit number-matching web page. But maybe it's easier than I thought and possible to do now with clever scripting.
Thanks in advance for any help!
If this feature already exists, I would appreciate it if you pointed me to a how-to. As far as I can tell, it does not exist yet.
Currently, I am successfully testing OpenVPN in this topology:
on-premises Ubuntu LINUX server running Ubuntu 22-packaged OpenVPN Community 2.5.11 server and patched OpenVPN-Community RADIUS plugin
on-premises Microsoft Windows Active Directory domain controller running Microsoft NPS server as the RADIUS server and NPS Extension to connect to Microsoft Entra ID MFA in the cloud
in-cloud Microsoft Entra ID MFA
Microsoft Authenticator app on end user smartphones
Windows 10/11 PCs running OpenVPN Community 2.6.12 as clients on end user laptops
This whole setup works with Microsoft Authenticator in Approve/Deny mode. But, to get it to work, I had to turn off the new "number matching" mode per this Microsoft knowledgebase article:
Are there any plans to someday add the two-digit number-matching capability to OpenVPN GUI in client mode? Typically, number matching is done through the web browser after being required to log in to login.microsoftonline.com or equivalent. But as I understand it, eventually, VPN clients would natively show the two-digit number to the end user, who would then pick out the two-digit number from their Microsoft Authenticator on their phone. The intention is to prevent the end user from accidentally or being tricked into pressing Approve for an MFA request generated by a hacker whose screen they cannot possibly see. Put simply, the two-digit number matching is better at resisting social engineering hacks and is more convenient for end users--I think it will take off in popularity and become commonplace soon.
As I understand it, this capability would require major changes to OpenVPN since the two-digit code would have to be pushed to the client to be shown in the GUI or a web browser opened to go to Microsoft's two-digit number-matching web page. But maybe it's easier than I thought and possible to do now with clever scripting.
Thanks in advance for any help!