Autologin profile and radius server

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
xeonz
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 17, 2022 1:06 pm

Autologin profile and radius server

Post by xeonz » Mon Jan 17, 2022 1:21 pm

We have openvpn access server 2.10.1 installed. We use radius auth with post_auth script as described there - https://openvpn.net/vpn-server-resource ... post_auth/
Everything works great expect we have a problem with import autologon profile for new radius users (who connects and imports a profile for the first time) using the option "Import autologin profile" (we use openvpn client v3.1.3):
Image
So if a new user tries to import autologin profile and he/she has never used this openvpn server before he/she gets this error:
"Failed to import profile. User lacks autologin privilege".
Image
If the same user tries to import the profile one more time - no problem, the profile get imported without error.

I am trying to understand what is wrong and how I can fix this issue.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 660
Joined: Tue Feb 16, 2021 10:41 am

Re: Autologin profile and radius server

Post by openvpn_inc » Mon Jan 17, 2022 1:34 pm

Hello xeonz,

OpenVPN Connect v3.1.3 is a bit outdated, I suggest you upgrade.

If you have integration with RADIUS fully setup and working and the correct bits are set to enable autologin, this autologin property should automatically be picked up and set on the user that's added to Access Server. If it does not I suggest you recheck your configuration.

You may also consider this option;

If this is a completely new user that is added to Access Server automatically upon successful login using an external authentication system, consider adding the autologin privilege as the default setting for the __DEFAULT__ meta user. By default users do not have the autologin privilege. But setting it here will ensure that all users by default will have it. Please note that this will enable it for all users.

Example of this setting:
cd /usr/local/openvpn_as/scripts/
./sacli --user "__DEFAULT__" --key "prop_autologin" --value "true" UserPropPut
./sacli start

See also this page:
https://openvpn.net/vpn-server-resource ... mand-line/

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

xeonz
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 17, 2022 1:06 pm

Re: Autologin profile and radius server

Post by xeonz » Mon Jan 17, 2022 4:17 pm

Thank you for the answer.
If this is a completely new user that is added to Access Server automatically upon successful login using an external authentication system,
yes, exactly. This is a completly new user. We create users in our external authentication system (freeradius server). Then users work with our openvpn servers. No users are created in openvpn servers in any manual way.
But setting it here will ensure that all users by default will have it. Please note that this will enable it for all users.
Unfortunately we need to enable autologin only for a particular group of users, not for all.

Is it possible in this case?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 660
Joined: Tue Feb 16, 2021 10:41 am

Re: Autologin profile and radius server

Post by openvpn_inc » Wed Jan 19, 2022 4:43 pm

xeonz wrote:
Mon Jan 17, 2022 4:17 pm
Unfortunately we need to enable autologin only for a particular group of users, not for all.

Is it possible in this case?
Sure. The __DEFAULT__ group is for all users' default settings. Simply set prop_autologin for the group you want to be able to autologin instead. Note that the sacli script does not distinguish between groups and users, so setting group properties does use --user and UserPropPut. (I'm only mentioning that because it seemed odd to me, and confused me at first.)

If you get stuck post again here, or feel free to open a support ticket at the link in my signature.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply