The server verifies the HMAC signature on the session token. It must pass the following checks to be accepted as a valid authentication method: Validation of session tokensĪccess Server validates the session token when it is offered by the VPN client. Note: Auto-login profiles do not need or use session tokens, they authenticate by their certificates only. It can enhance security by not having to remember user credentials in memory. Server-locked profiles don’t need to repeat authentication twice in a row. When multi-factor authentication is enabled there is no need to interrupt the user in the above cases. When an Access Server cluster node fails, its users can migrate gracefully to another node. 
After a transient connection interruption the session can resume gracefully. TLS encryption key renegotiations can succeed without the user having to enter credentials mid-session. These are use-cases for the session token in Access Server: This allows a user that started his VPN session on one Access Server cluster node to resume his session on another Access Server cluster node. For a cluster setup of Access Servers, the HMAC key is shared between member nodes. 
The session token is authenticated and signed with HMAC. If the session token passes validation checks on the server side, the client is allowed to resume the VPN session.Ī session token contains a unique session ID as well as timestamps for the beginning of the VPN session and when the session token was issued. Each time the VPN client must authenticate again, it offers this session token to the server. After a normal successful authentication the server sends a session token to the VPN client. OpenVPN Access Server implements session-token based authentication.
0 kommentar(er)
