Skip to main content

OpenVPN and Okta LDAP with MFA: Troubleshooting and Hints

If you follow the official documentation to integrate OpenVPN Access Server via Okta LDAP you may run into one or two roadbumps if you turn on MFA.
Official doc from OpenVPN: https://openvpn.net/vpn-server-resources/integrate-okta-with-openvpn-access-server-via-ldap/

Please note: Configuring OpenVPN with Okta RADIUS is in my opinion the better option as it gives the end user a way better UX in regards dealing with MFA. Just watch the following 1-minute video:

 

If you want to use LDAP nevertheless, read on:

Exclude the bind user from MFA policies

Error message:

LdapErrorCode=invalid credentials
failure: MFA verification required. Please go to https://<org>.okta.com and enroll in MFA. Then use your second factor to generate an OTP code. Then try again by entering your password followed by "," and then the OTP code, example: myPassword,123123 : (Refer to Okta error Code E0000113)

 

Resolution: If you are prompting all users for MFA through the Global Session Policy – exclude the bind user from that policy. Go to Security -> Global Session Policy -> Default Policy and create a new rule to prompt for MFA (the default policy should not require MFA in this case). In the new policy exclude the bind user as shown in the screenshot.

 

 

extend LDAP server timeout

As the default timeout is 4 seconds only, this is quite short to react to MFA prompts – if you use push. You can extend the timeout via the command line:

cd /usr/local/openvpn_as/scripts
./sacli --key "auth.ldap.0.timeout" --value 20 ConfigPut
./sacli start

more information can be found here: https://openvpn.net/vpn-server-resources/authentication-options-and-command-line-configuration/

 

 

Documentation on how you use MFA with Okta LDAP can be found here: https://help.okta.com/en-us/Content/Topics/Directory/LDAP-interface-MFA.htm

TL;DR: Append the OTP code with a comma to the password e. g. password,123456 or append ,push if you want to use Okta Verify Push. Push is used as a fallback if you just enter the password and the user is enrolled in push.

 

I hope that helps!

Leave a Reply

Your email address will not be published.