Hi, On Tue, Jul 23, 2019 at 9:50 AM Stefan Szabo via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote: > > hi, > > is there any posibility to restrict users connecting to openvpn server, > permit only those who uses devices provided by company?and how can be > acomplished this? > after check the cert and also LDAP goup to perform another check(post-auth) > and use something like mac address or anything else to identify the device > used if its provided by company or not. > > I've found something here, but I'm afraid for this is only available with > license subscription only: > https://openvpn.net/vpn-server-resources/access-server-post-auth-script-host-checking/
You can use --push-peer-info in the client config to make the client send the mac address of its default gateway interface to the server (see --push-peer-info in the man page). But, as JJK said, MAC can be cloned/faked, so not very reliable. For Windows clients, upload the client certificate and key (as non-exportable) to the Windows certificate store and use the --cytpoapicert option. That would be a more reliable way of ensuring connections come from devices that you setup. Selva _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
