VPN - Disabled Users can Still Login

Gary

We are still configuring our VPN and so far so good. We are using Active Directory for our user database.

When we disable a user, I am assuming that should disable the VPN account, however a disabled user is still able to connect, and successfully use the VPN.

Am I missing something? Is there a setting for "disabled users can't use VPN"?

Thank you,
Gary

Bill

Hi Gary
I found the same issue a couple weeks ago. After talking to support and using the latest EA release, disabled AD accounts are still able to login. It's a known issue that hopefully will be resolved soon.

Apparently a deleted AD account is unable to login (with the latest EA release), but I haven't tested this myself.
To see Early Access, go to Updates, Features & Licensing->Settings and change the Repository to EA.

It would be nice to see this resolved.
Bill

Bill

Just tried the latest EA release... same issue. Seems the disabled user can still login for the duration of their device certificate.

Bill

MartianX

We have done some work on this but I think there is still work to do to make it truly effective.

When you disabled an AD user there was no mechanism to detect this event and invalidate the users' devices. With our 2.3.7 update, this should now be happening although we have discovered this only works for one of the users' devices, not all so that will get fixed in our next update.

I should note that if the account was already disabled before upgrading their peer would remain accessible. This is because the fix relied on capturing the disabled event when the user was disabled. As it was already disabled, no event and therefore no invalidation.

Furthermore, when you disable the user on the AD it will only get updated until the next sync so it won't be immediate.

We are now looking at hooking this up to our own user suspension code so that you have a way of preventing access immediately, independent of the user directory being used.

MartianX

We are planning to have the suspension of a user invalidate their peer config in our next 2.3.8 update. I'll post here when its available in EA.

ludup

2.3.8 is now in EA if you want to switch to it and this fixes peer invalidation. The quickest way to prevent user access is to Suspend them in the LogonBox VPN User Directory page. This should now invalidate any peers immediately and prevent them from accessing/logging in.

Gary

Perhaps I'm missing something, but I'm on 2.3.11-1635 and I have used a "disabled user's" profile to still connect to the service. I'm using the App Store Wireguard client.

I understand that perhaps the LogonBox native client may not permit login, but the actual profile/certificates are still functional.

ChrisDakin

Hi Gary,
Check the longevity of the Generic peer configuration in VPN->Peers.
If it's set to the Default PERMANENT then I'd expect this as you've generated a client config that doesn't expire. Then as the native client is connecting directly to the WireGuard service and bypasses anything on LogonBox itself, the user's status can no longer be checked and that connection is still valid as far as WireGuard's concerned.

Ways to work around this:

You can manually delete the device for this user in VPN->Devices.

You can change the Longevity to something like TIMED, but note that when the client config gets invalidated the user will need to log on to the Web UI and generate a new config file, download it and install it in the client (this is why we have the LogonBox branded client - coming soon for mobiles - it will handle all this automatically).

Chris.

Gary

OK. I'm getting the feeling that only the java client gives control.

using "TRACKED" doesn't monitor for password changes. I also tested with a disabled user and the VPN still functions as normal.

Does that seem correct?

ChrisDakin

Hi Gary,
Yes, only the Java client gives you the control, at least around authentication.
If you have TIMED set on the native clients then LogonBox will invalidate the client configurations though. The client will seem to connect okay as it doesn't know any different but it won't be able to route anywhere (you can check the device config status on the VPN->Devices page).

Regarding TRACKED mode, I just tested this by logging on my admin account and changing a user's password and it invalidated the client configuration immediately. Now if you're connected to something like AD instead and the user's AD password changes, then the VPN is not necessarily going to find out about this (especially if you're using the native clients).

Chris.