This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN without client cert - username / password auth only?

Hello,

I would like to authenticate SSL VPN Users only via there username and password.

If possible it would be nice to have a shared clients cert for all of our users.

Since the VPN config will be deployed to shared devices this is necessary.

 

Thanks

Philipp



This thread was automatically locked due to age.
  • Hi Philipp,

    OpenVPN (the underlying technology) can do SSL VPN connections without using a certificate but is classed as insecure by themselves. The Web Console itself for UTM 9 does not give you the ability to do a non-cert authentication for connection but there may be other ways to do this which would void the support of the UTM. Additionally if you were to make this work through changing the backend yourself, every new update will/potentially undo all of the changes you've made.

    The certificates are bound to each user identity as to the way the UTM is configured right now and again, OpenVPN can do 1 cert for all clients but the UTMs' console will not allow you to set this.

    That is my understanding however, there may be other ways round that another user here may have found :)

    Emile

  • Hello Emile,

    this feature should be added.

    Thanks

    Philipp

  • Philipp,

    I trust what Emile wrote. Also let me add something:

    SSL VPN is a secure conneciton where user authenticates to server by providing their own certificate. If the Certificate is global, security will be reduced. Certificate and user/password combination provides a 2 way of authentication while having a global certificate you will not achieve the same level of security. If one user is compromised, the global certificate is compromised, so all users using the shared certificate have to downlod the certificate again. More users, more chance to get compromised!

    Use IPSec instead with username/password and pre-shared key. Also your remote users will not need to install any client because IPSec is already built-in inside many devices (mobile too).

  • Hi Philipp,

    You can request it as a new feature here: http://ideas.sophos.com/forums/330219-sophos-xg-firewall

    Additionally Luk's suggestion would be your next best bet as L2TP/IPSEC is quite prevalent.

    Emile