Group permissions and Denying access

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
nmarchini
OpenVpn Newbie
Posts: 4
Joined: Mon Jun 18, 2018 3:29 pm

Group permissions and Denying access

Post by nmarchini » Thu Jun 28, 2018 11:24 am

We have OpenVPN AS setup to use Radius (talking to Okta) for authentication. The setup works with groups in OpenVPN AS as we have setup a post_auth script that reads the Radius response and finds the usrs group assignment.

We would like to deny access to any usrs that try and connect that don't have a group that OpenVPN recognises or if the group field in the radius response is blank. I have created a group called No-Group and set the deny access checkbox. I have then set Default Group Permissions to use for any usr not in any Group: to the group called No-Group

When I connect with a usr that is not in a group it Denys Access - which is expected.
When I connect with a usr that IS in a group OpenVPN AS also denys access.

It seems that the OpenVPN AS is putting the connecting usr in No-Group before the post_auth script has run to determine if that usr has a group being returned by the Radius server.

If I remove the Deny Access checkbox for No-Group then a usr in a valid group can logon with no issues AND a usr with no valid group can login as well.

(WAS not able to post the code here as the forum kept given me an error about the code containing contacts

Log for usr in a valid group with Deny-Access NOT checked https://gist.github.com/nmarchini/f120a ... tfile1-txt

Log for usr in a valid group with Deny-Access checked. https://gist.github.com/nmarchini/b8e04 ... tfile1-txt

As i said above it seems that a connecting user is automatically put into No-Group before the post_auth script runs and this causes everyone to be denied access.
Top
User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Group permissions and Denying access

Post by novaflash » Thu Jun 28, 2018 1:22 pm

I would consider it a good possibility that you have set your Access Server's User Permissions table at the bottom to deny access by default, if a user is not present in the user permissions table. And that your script is not putting the users in the groups correctly. Check for spelling and case of group names, and consider adding some 'print' debug lines to your script so you can more accurately track if the script actually does its job.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
Top
Post Reply

Return to “The OpenVPN Access Server”