I'm looking for a way to establish secure connections from remote users to an internal closed lan. I can already connect the remote machine to a samba domain controller through an openvpn 2.x client before login by using a scheduled task, so remote connection to the domain is solved.
What I would need now is to know if there is a way to have the domain controller tell a firewall that this or that machine belongs to the domain and have the firewall use this information to discriminate whether the host can access a different internal network. For example, I would have the openvpn server (10.0.0.2) give each user a reserved IP in the 10.0.0.x range, so that they can see the domain controller (10.0.0.3). Then the domain controller tells the firewall (10.0.0.1, gateway) whether the machines connected using those IP's are joined to the domain and are therefore safe to let into an internal network through another interface the firewall is connected to, for example 10.0.1.x. Until that condition is fulfilled, the users would only have access to the 10.0.0.x "lobby".
The idea is to prevent the remote user from simply using the vpn credentials and certificate on any machine (potentially unsafe machines that are running god knows what) to access the secure internal network. I already know about the LDAP authentication for openvpn, but as far as I know that only asks the domain controller whether x credentials are ok, and doesn't check if the machine is actually on the domain.
Does this exist? Is it even possible? Is it even necessary, or am I looking at this the wrong way and there's a much easier alternative?
Thanks in advance.
