We have openvpn access server 2.10.1 installed. We use radius auth with post_auth script as described there - https://openvpn.net/vpn-server-resource ... post_auth/
Everything works great expect we have a problem with import autologon profile for new radius users (who connects and imports a profile for the first time) using the option "Import autologin profile" (we use openvpn client v3.1.3):
So if a new user tries to import autologin profile and he/she has never used this openvpn server before he/she gets this error:
"Failed to import profile. User lacks autologin privilege".
If the same user tries to import the profile one more time - no problem, the profile get imported without error.
I am trying to understand what is wrong and how I can fix this issue.
Autologin profile and radius server
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jan 17, 2022 1:06 pm
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Autologin profile and radius server
Hello xeonz,
OpenVPN Connect v3.1.3 is a bit outdated, I suggest you upgrade.
If you have integration with RADIUS fully setup and working and the correct bits are set to enable autologin, this autologin property should automatically be picked up and set on the user that's added to Access Server. If it does not I suggest you recheck your configuration.
You may also consider this option;
If this is a completely new user that is added to Access Server automatically upon successful login using an external authentication system, consider adding the autologin privilege as the default setting for the __DEFAULT__ meta user. By default users do not have the autologin privilege. But setting it here will ensure that all users by default will have it. Please note that this will enable it for all users.
Example of this setting:
cd /usr/local/openvpn_as/scripts/
./sacli --user "__DEFAULT__" --key "prop_autologin" --value "true" UserPropPut
./sacli start
See also this page:
https://openvpn.net/vpn-server-resource ... mand-line/
Kind regards,
Johan
OpenVPN Connect v3.1.3 is a bit outdated, I suggest you upgrade.
If you have integration with RADIUS fully setup and working and the correct bits are set to enable autologin, this autologin property should automatically be picked up and set on the user that's added to Access Server. If it does not I suggest you recheck your configuration.
You may also consider this option;
If this is a completely new user that is added to Access Server automatically upon successful login using an external authentication system, consider adding the autologin privilege as the default setting for the __DEFAULT__ meta user. By default users do not have the autologin privilege. But setting it here will ensure that all users by default will have it. Please note that this will enable it for all users.
Example of this setting:
cd /usr/local/openvpn_as/scripts/
./sacli --user "__DEFAULT__" --key "prop_autologin" --value "true" UserPropPut
./sacli start
See also this page:
https://openvpn.net/vpn-server-resource ... mand-line/
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jan 17, 2022 1:06 pm
Re: Autologin profile and radius server
Thank you for the answer.
Is it possible in this case?
yes, exactly. This is a completly new user. We create users in our external authentication system (freeradius server). Then users work with our openvpn servers. No users are created in openvpn servers in any manual way.If this is a completely new user that is added to Access Server automatically upon successful login using an external authentication system,
Unfortunately we need to enable autologin only for a particular group of users, not for all.But setting it here will ensure that all users by default will have it. Please note that this will enable it for all users.
Is it possible in this case?
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Autologin profile and radius server
Sure. The __DEFAULT__ group is for all users' default settings. Simply set prop_autologin for the group you want to be able to autologin instead. Note that the sacli script does not distinguish between groups and users, so setting group properties does use --user and UserPropPut. (I'm only mentioning that because it seemed odd to me, and confused me at first.)
If you get stuck post again here, or feel free to open a support ticket at the link in my signature.
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support