On 23/07/19 15:31, Stefan Szabo via Openvpn-users wrote:
hi,
is there any posibility to restrict users connecting to openvpn
server, permit only those who uses devices provided by company?and how
can be acomplished this?
after check the cert and also LDAP goup to perform another
check(post-auth) and use something like mac address or anything else
to identify the device used if its provided by company or not.
I've found something here, but I'm afraid for this is only available
with license subscription only:
https://openvpn.net/vpn-server-resources/access-server-post-auth-script-host-checking/
short answer is : No
the client-side mac address is not sent to the server for tun-style
connections.
On top of that, it is ALWAYS possible to fake the mac address.
The best way to ensure that only devices that you allow are able to
connect, is to use some form of 2FA (hardware token. yubikey, etc).
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
