openvpn client login control issue about AD accounts

Started by chienchou.pan, January 26, 2021, 08:07:20 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 26, 2021, 08:07:20 AM Last Edit: January 26, 2021, 08:09:30 AM by chienchou.pan
Dear Sirs,

     The opnsense users can import from AD server, and I use these accounts for openvpn client, they can login openvpn service OK, but when they were disabled, they can still login openvpn service successfully, so is it normally?  (th local accounts is OK)
January 26, 2021, 09:13:17 AM #1
hi.
no, its not normal. any chance that guest account is enabled in AD?
January 26, 2021, 10:37:39 AM #2
Disabled in AD or local database?


Cheers,
Franco
January 28, 2021, 05:14:05 AM #3
no guest account enabled in our AD server(win2003), and the AD account(sync from AD server) was disabled in opnsense. But still can login openvpn service now.
January 28, 2021, 07:09:40 AM #4 Last Edit: January 28, 2021, 10:55:27 AM by Fright
i think you need to disable this account in AD for the authentication to fail (or remove a user from the corresponding group, if you only need to disable vpn)
January 28, 2021, 10:24:44 AM #5
So this means, If i want to block user to connect openvpn, I must disable account from opnsense and AD server?
I can't just disable account on opnsense? It's not smart I think.  :-X 
January 28, 2021, 10:41:21 AM #6
Well, you still haven't told us whether OpenVPN auth uses local or remote AD server.

Because

If the remote is used you can adjust your query to include disabled.

If local database is used it might be a bug.

But in either case we can't help without the correct data.


Cheers,
Franco
January 29, 2021, 03:36:11 AM #7
Our openvpn auth uses remote AD server, So I need to disable the account from my AD server , not just disable account on opnsense, right?
January 29, 2021, 07:09:21 AM #8
If you want to exclude disabled accounts I think you need to extend the LDAP query to check for this attribute, no? I haven't worked with AD so I'm not entirely sure.

Local account status is irrelevant if you go directly to AD to authenticate. Unless you distribute certificates for users as well you don't even need local imports.


Cheers,
Franco
January 29, 2021, 08:02:27 AM #9
disabling account in AD should be enough (quick tested in my AD environment)
January 29, 2021, 09:04:06 AM #10
Ah, thanks for verifying. :)
January 29, 2021, 09:10:21 AM #11
OK, I see, thanks.

In our company, we use AD account to login all systems, not just openvpn service.  The openvpn service is not provided for all users. Sometimes is temporary (ex. one month or two month) for special user.  So I think disable the accounts from AD server is not friendly way in production.

Now I use "VPN: OpenVPN: Client Specific Overrides" to define everyone's account to control login status, it can control openvpn login and don't need to disable account in AD server.
January 29, 2021, 09:14:06 AM #12
yes, it's a matter of where it is controlled. I am using AD group memberships for this
Print
Go Up Pages1
User actions