OpenVPN Support Forum

We have openvpn access server 2.10.1 installed. We use radius auth with post_auth script as described there - https://openvpn.net/vpn-server-resource ... post_auth/
Everything works great expect we have a problem with import autologon profile for new radius users (who connects and imports a profile for the first time) using the option "Import autologin profile" (we use openvpn client v3.1.3):

So if a new user tries to import autologin profile and he/she has never used this openvpn server before he/she gets this error:
"Failed to import profile. User lacks autologin privilege".

If the same user tries to import the profile one more time - no problem, the profile get imported without error.

I am trying to understand what is wrong and how I can fix this issue.

Hello xeonz,

OpenVPN Connect v3.1.3 is a bit outdated, I suggest you upgrade.

If you have integration with RADIUS fully setup and working and the correct bits are set to enable autologin, this autologin property should automatically be picked up and set on the user that's added to Access Server. If it does not I suggest you recheck your configuration.

You may also consider this option;

If this is a completely new user that is added to Access Server automatically upon successful login using an external authentication system, consider adding the autologin privilege as the default setting for the __DEFAULT__ meta user. By default users do not have the autologin privilege. But setting it here will ensure that all users by default will have it. Please note that this will enable it for all users.

Example of this setting:
cd /usr/local/openvpn_as/scripts/
./sacli --user "__DEFAULT__" --key "prop_autologin" --value "true" UserPropPut
./sacli start

See also this page:
https://openvpn.net/vpn-server-resource ... mand-line/

Kind regards,
Johan

Thank you for the answer.

If this is a completely new user that is added to Access Server automatically upon successful login using an external authentication system,

yes, exactly. This is a completly new user. We create users in our external authentication system (freeradius server). Then users work with our openvpn servers. No users are created in openvpn servers in any manual way.

But setting it here will ensure that all users by default will have it. Please note that this will enable it for all users.

Unfortunately we need to enable autologin only for a particular group of users, not for all.

Is it possible in this case?

xeonz wrote: ↑

Mon Jan 17, 2022 4:17 pm

Unfortunately we need to enable autologin only for a particular group of users, not for all.

Is it possible in this case?

Sure. The __DEFAULT__ group is for all users' default settings. Simply set prop_autologin for the group you want to be able to autologin instead. Note that the sacli script does not distinguish between groups and users, so setting group properties does use --user and UserPropPut. (I'm only mentioning that because it seemed odd to me, and confused me at first.)

If you get stuck post again here, or feel free to open a support ticket at the link in my signature.

regards, rob0