Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
openvpn client login control issue about AD accounts
« previous
next »
Print
Pages: [
1
]
Author
Topic: openvpn client login control issue about AD accounts (Read 3457 times)
chienchou.pan
Newbie
Posts: 19
Karma: 2
openvpn client login control issue about AD accounts
«
on:
January 26, 2021, 08:07:20 am »
Dear Sirs,
The opnsense users can import from AD server, and I use these accounts for openvpn client, they can login openvpn service OK, but when they were disabled, they can still login openvpn service successfully, so is it normally? (th local accounts is OK)
«
Last Edit: January 26, 2021, 08:09:30 am by chienchou.pan
»
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: openvpn client login control issue about AD accounts
«
Reply #1 on:
January 26, 2021, 09:13:17 am »
hi.
no, its not normal. any chance that guest account is enabled in AD?
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: openvpn client login control issue about AD accounts
«
Reply #2 on:
January 26, 2021, 10:37:39 am »
Disabled in AD or local database?
Cheers,
Franco
Logged
chienchou.pan
Newbie
Posts: 19
Karma: 2
Re: openvpn client login control issue about AD accounts
«
Reply #3 on:
January 28, 2021, 05:14:05 am »
no guest account enabled in our AD server(win2003), and the AD account(sync from AD server) was disabled in opnsense. But still can login openvpn service now.
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: openvpn client login control issue about AD accounts
«
Reply #4 on:
January 28, 2021, 07:09:40 am »
i think you need to disable this account in AD for the authentication to fail (or remove a user from the corresponding group, if you only need to disable vpn)
«
Last Edit: January 28, 2021, 10:55:27 am by Fright
»
Logged
chienchou.pan
Newbie
Posts: 19
Karma: 2
Re: openvpn client login control issue about AD accounts
«
Reply #5 on:
January 28, 2021, 10:24:44 am »
So this means, If i want to block user to connect openvpn, I must disable account from opnsense and AD server?
I can't just disable account on opnsense? It's not smart I think.
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: openvpn client login control issue about AD accounts
«
Reply #6 on:
January 28, 2021, 10:41:21 am »
Well, you still haven't told us whether OpenVPN auth uses local or remote AD server.
Because
If the remote is used you can adjust your query to include disabled.
If local database is used it might be a bug.
But in either case we can't help without the correct data.
Cheers,
Franco
Logged
chienchou.pan
Newbie
Posts: 19
Karma: 2
Re: openvpn client login control issue about AD accounts
«
Reply #7 on:
January 29, 2021, 03:36:11 am »
Our openvpn auth uses remote AD server, So I need to disable the account from my AD server , not just disable account on opnsense, right?
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: openvpn client login control issue about AD accounts
«
Reply #8 on:
January 29, 2021, 07:09:21 am »
If you want to exclude disabled accounts I think you need to extend the LDAP query to check for this attribute, no? I haven't worked with AD so I'm not entirely sure.
Local account status is irrelevant if you go directly to AD to authenticate. Unless you distribute certificates for users as well you don't even need local imports.
Cheers,
Franco
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: openvpn client login control issue about AD accounts
«
Reply #9 on:
January 29, 2021, 08:02:27 am »
disabling account in AD should be enough (quick tested in my AD environment)
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: openvpn client login control issue about AD accounts
«
Reply #10 on:
January 29, 2021, 09:04:06 am »
Ah, thanks for verifying.
Logged
chienchou.pan
Newbie
Posts: 19
Karma: 2
Re: openvpn client login control issue about AD accounts
«
Reply #11 on:
January 29, 2021, 09:10:21 am »
OK, I see, thanks.
In our company, we use AD account to login all systems, not just openvpn service. The openvpn service is not provided for all users. Sometimes is temporary (ex. one month or two month) for special user. So I think disable the accounts from AD server is not friendly way in production.
Now I use "VPN: OpenVPN: Client Specific Overrides" to define everyone's account to control login status, it can control openvpn login and don't need to disable account in AD server.
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: openvpn client login control issue about AD accounts
«
Reply #12 on:
January 29, 2021, 09:14:06 am »
yes, it's a matter of where it is controlled. I am using AD group memberships for this
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
openvpn client login control issue about AD accounts