openvpn client login control issue about AD accounts

[chienchou.pan]

Dear Sirs,

     The opnsense users can import from AD server, and I use these accounts for openvpn client, they can login openvpn service OK, but when they were disabled, they can still login openvpn service successfully, so is it normally?  (th local accounts is OK)

[Fright]

hi.
no, its not normal. any chance that guest account is enabled in AD?

[franco]

Disabled in AD or local database?


Cheers,
Franco

[chienchou.pan]

no guest account enabled in our AD server(win2003), and the AD account(sync from AD server) was disabled in opnsense. But still can login openvpn service now.

[Fright]

i think you need to disable this account in AD for the authentication to fail (or remove a user from the corresponding group, if you only need to disable vpn)

[chienchou.pan]

So this means, If i want to block user to connect openvpn, I must disable account from opnsense and AD server?
I can't just disable account on opnsense? It's not smart I think.   

[franco]

Well, you still haven't told us whether OpenVPN auth uses local or remote AD server.

Because

If the remote is used you can adjust your query to include disabled.

If local database is used it might be a bug.

But in either case we can't help without the correct data.


Cheers,
Franco

[chienchou.pan]

Our openvpn auth uses remote AD server, So I need to disable the account from my AD server , not just disable account on opnsense, right?

[franco]

If you want to exclude disabled accounts I think you need to extend the LDAP query to check for this attribute, no? I haven't worked with AD so I'm not entirely sure.

Local account status is irrelevant if you go directly to AD to authenticate. Unless you distribute certificates for users as well you don't even need local imports.


Cheers,
Franco

[Fright]

disabling account in AD should be enough (quick tested in my AD environment)

[franco]

Ah, thanks for verifying.

[chienchou.pan]

OK, I see, thanks.

In our company, we use AD account to login all systems, not just openvpn service.  The openvpn service is not provided for all users. Sometimes is temporary (ex. one month or two month) for special user.  So I think disable the accounts from AD server is not friendly way in production.

Now I use "VPN: OpenVPN: Client Specific Overrides" to define everyone's account to control login status, it can control openvpn login and don't need to disable account in AD server.

[Fright]

yes, it's a matter of where it is controlled. I am using AD group memberships for this