Autologin denied even if enabled for user and group

[nelson_d]

This is a fairly new install we've been piloting.

Autologin profiles aren't working and I don't understand why. I have checked the box to allow auto-login for my user under User Permissions, as well as the group it's in under Group Permissions. However the client says:

Authentication Failed
autologin permission is disabled

User and group properties:

Code: Select all

  "nelson_d": {
    "conn_group": "networkservices",
    "prop_autologin": "true",
    "type": "user_connect"
  },
  "networkservices": {
    "access_to.0": "+SUBNET:10.0.0.0/24",
    "access_to.1": "+SUBNET:172.16.0.0/12",
    "c2s_dest_s": "false",
    "c2s_dest_v": "false",
    "group_declare": "true",
    "prop_autologin": "true",
    "prop_deny": "false",
    "prop_superuser": "false",
    "type": "group"
  },

What am I missing? Is there some global setting that might deny autologin for all users regardless of their individual or group settings?

Below is the server log output when I try to connect.

Code: Select all

2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: "2023-09-28 17:37:17 SERVER-IP:60889 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication"
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: "2023-09-28 17:37:17 SERVER-IP:60889 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication"
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: "2023-09-28 17:37:17 SERVER-IP:60889 tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key"
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: "2023-09-28 17:37:17 SERVER-IP:60889 tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication"
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 VERIFY OK: depth=1, CN=OpenVPN CA'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 VERIFY OK: nsCertType=CLIENT'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 VERIFY OK: depth=0, CN=nelson_d_AUTOLOGIN'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: IV_VER=3.git::d3f8b18b'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: IV_PLAT=mac'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: IV_NCP=2'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: IV_TCPNL=1'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: IV_PROTO=30'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: IV_AUTO_SESS=1'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: UV_ASCLI_VER=3.3.6-4368'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: UV_PLAT_REL=13.6.22G120'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: UV_UUID=DA92E2B7-9786-5B5E-858C-7F491DCA76BE'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: IV_GUI_VER=OCmacOS_3.3.6-4368'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: IV_SSO=webauth,openurl,crtext'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: IV_HWADDR=a0:ce:c8:70:0d:4b'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 peer info: IV_SSL=OpenSSL_1.1.1n__15_Mar_2022'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: "2023-09-28 17:37:17 SERVER-IP:60889 TLS: Username/Password authentication deferred for username '' "
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 SERVER-IP:60889 [nelson_d_AUTOLOGIN] Peer Connection Initiated with [AF_INET]SERVER-IP:60889'
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: "2023-09-28 17:37:17 SERVER-IP:60889 PUSH: Received control message: 'PUSH_REQUEST'"
2023-09-28T10:37:17-0700 [stdout#info] VPN Auth Failed: "autologin property is disabled for user 'nelson_d'" ['autologin permission is disabled']
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 MANAGEMENT: CMD \'client-deny 549 0 "AS auth failed" "autologin permission is disabled"\''
2023-09-28T10:37:17-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:17 MULTI: connection rejected: AS auth failed, CLI:autologin permission is disabled'
2023-09-28T10:37:18-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:18 SERVER-IP:60889 Delayed exit in 5 seconds'
2023-09-28T10:37:18-0700 [stdout#info] [OVPN 2] OUT: "2023-09-28 17:37:18 SERVER-IP:60889 SENT CONTROL [nelson_d_AUTOLOGIN]: 'AUTH_FAILED,autologin permission is disabled' (status=1)"
2023-09-28T10:37:18-0700 [stdout#info] [OVPN 2] OUT: "2023-09-28 17:37:18 SERVER-IP:60889 PUSH: Received control message: 'PUSH_REQUEST'"
2023-09-28T10:37:23-0700 [stdout#info] [OVPN 2] OUT: '2023-09-28 17:37:23 SERVER-IP:60889 SIGTERM[soft,delayed-exit] received, client-instance exiting'

Thanks!

[nelson_d]

Also we're on v2.11.3 and I have restarted the service since noticing the issue.

[openvpn_inc]

Hello nelson_d,

This permission can be set on the __DEFAULT__ meta user in user properties, on the group level, on the user level, and finally in the post_auth script.

Looking at this information it seems it is set at group and user level, which is double, but is fine. It should result in autologin being allowed. But it is possible that you have a post_auth script that removes this permission, it would have veto right over this.

There are also other scenarios that could be in the way like using a cluster without restarting the nodes to affect changes, or some external PKI configuration, or LDAP with autologin account reverification failing, or a myriad of other things that are hard to see from just this output. I would suggest to contact us at our support ticket system so we can ask for more configuration information.

Kind regards,
Johan

[nelson_d]

You're absolutely right, it's the post_auth script. It didn't occur to me that would still be processed. Thanks!

If I hard code a group for a certain user, then autologin is permitted. But without the SAML logic being processed, the script is sending back a default group instead.

I'll contact support if needed but is there an easy way to just pull the user's existing group membership as a fallback? So I can do something like this.

Code: Select all

if saml_username and group:
    # SAML stuff
else:
    try:
        proplist_save['conn_group'] = # whatever group the access server already had them in

[openvpn_inc]

Hello nelson_d,

I don't know what your full script looks like, but an important thing to note is that with post_auth there are properties that you can set on the currently active login session that only apply during that one session, and there is a separate method to save properties to the user database. Most likely there is a logic error somewhere in the script where this doesn't happen correctly and perhaps in-session stuff gets reset or wiped somehow. The reason I am thinking this is because if you are using your script to only set group membership, then that shouldn't change anything for the user properties themselves. Those are still set on the user itself and the user properties will take precedence over group properties.

So __DEFAULT__ user property is lowest priority. Then group can override that. And user can override that. And post_auth finally can override that. So it looks like in your post_auth script the autologin property is somehow being stripped away. Since you have it set on the user specifically, the group settings don't really matter much. And it's just the post_auth script that seems to be messing things up.

It would be better to have a full view of the post_auth script. And if there's anything sensitive in there, it's better to reach out to support than post it here.

Kind regards,
Johan

[nelson_d]

It's a very lightly modified version of the SAML post_auth script I found here. <https://openvpn.net/vpn-server-resource ... p-mapping/> I've put a slightly redacted version below.

The basic idea is we have a default deny group unless you are in a few specific SAML groups.

What I've found is I have to set GROUP_SELECT to True in order for SAML to authorize a new user. Without it their SAML groups are ignored and they just get that default deny. However when it's True, autologin won't work because the script passes back a blank/empty group assignment rather than using the stored one from the database.

If I turn GROUP_SELECT back off, autologin works using group membership from the database, but SAML doesn't, new users get "Your account has been suspended." because they've been dumped in the deny group before the SAML processing happens.

Code: Select all

import re,subprocess

from pyovpn.plugin import *

# When True, indicates that script will select the user's group
# by setting proplist['conn_group'] and that user properties
# will be fetched from the DB after the post_auth method returns
# rather than before.

GROUP_SELECT = True

# this function is called by the Access Server after normal authentication
def post_auth(authcred, attributes, authret, info):

    # default group assignment
    group = ""

    # user properties to save
    proplist_save = {}

    # set this to error string, if auth fails
    error = ""

    saml_username = None

    if info.get('auth_method') == 'saml': # this code only operates when the Access Server auth method is set to SAML
        group_attribute_name = 'groups' # if your SAML IdP sends group information in another attribute, change this
        saml_username = authret['user']

        saml_groups = info['saml_attr'].get(group_attribute_name, None)
        if saml_groups:
            print(f"***** POST_AUTH: List of received SAML groups: {saml_groups}")

            # determine the Access Server group based on SAML group settings
            mapped_group = determine_group(saml_groups)
            if mapped_group:
                group = mapped_group
        else:
            print(f'***** POST_AUTH: Groups for user {saml_username} are not reported, please check your IdP configuration')

    if saml_username and group:
        print("***** POST_AUTH: User group mapping found for %r, setting OpenVPN connection group to %r ..." % (saml_username, group))
        authret['proplist']['conn_group'] = group
        proplist_save['conn_group'] = group
    elif authret['user'] == "openvpn":
        authret['proplist']['conn_group'] = "admin" 
        proplist_save['conn_group'] = "admin" 
    elif saml_username:
        print(
            "***** POST_AUTH: No group mapping matches found for %r ... Using default group settings..." % saml_username)

    # process error, if one occurred
    if error:
        authret['status'] = FAIL
        authret['reason'] = error  # this error string is written to the server log file
        authret['client_reason'] = error  # this error string is reported to the client user

    return authret, proplist_save

# Adjust these to map the user's SAML group membership to an Access Server group.
def determine_group(saml_groups):
    group = "deny"
    if 'idautoID=a8732512-b539-4175-8cbb-24113652bff6,ou=Groups,dc=meta' in saml_groups :
        if 'idautoID=88089db6-0aea-458c-8f53-26b68cb9f690,ou=Groups,dc=meta' in saml_groups :
            group = "networkservices"
        elif 'idautoID=2bcbb15a-4c77-484b-9642-2ddc74e36691,ou=Groups,dc=meta' in saml_groups :
            group = "technology"
        elif 'idautoID=269bd882-db94-4a04-9555-c9330f58c871,ou=Groups,dc=meta' in saml_groups:
            group = "risk"
        elif 'idautoID=5d01a737-7ce5-470e-bd88-690cb4dbdb48,ou=Groups,dc=meta' in saml_groups:
            group = "fshr"
        elif 'idautoID=36bf4aaa-c0c2-49a8-a63d-7031db40ffda,ou=Groups,dc=meta' in saml_groups:
            group = "facilities"
        elif 'idautoID=8eff0dc3-3e6c-4047-a1cc-7685e5c66c46,ou=Groups,dc=meta' in saml_groups:
            group = "contractor"
        else:
            group = "allow"
    return group

[nelson_d]

I was toying with an alternate version of the script and I found I can do this to pull the database group for people who are using autologin, and it solves the problem while GROUP_SELECT is True, but it's a gross hack and I'm sure not a recommended way of doing this.

Code: Select all

    elif info['auth_method'] == 'autologin':
        SUBPROCESS_STRING="/usr/local/openvpn_as/scripts/confdba -u -s --prof " + authret['user'] + " | grep -Po '(?<=conn_group\": \")[a-zA-Z0-9]+'"
        CURRENT_GROUP=subprocess.check_output( SUBPROCESS_STRING , shell=True ,stderr=subprocess.STDOUT ).decode()
        CURRENT_GROUP=CURRENT_GROUP.strip()
        authret['proplist']['conn_group'] = CURRENT_GROUP
        proplist_save['conn_group'] = CURRENT_GROUP