Last active
June 2, 2021 18:19
-
-
Save guddl/ac6b4084ebd4663574cc36bf700a2247 to your computer and use it in GitHub Desktop.
OpenVPN Access Server // pas.py to disable different operating systems
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Example Access Server Post-Auth script demonstrates three features: | |
| # | |
| # 1. How to set a connecting user's Access Server group based on LDAP | |
| # group settings for the user. | |
| # 2. How to verify that a given Access Server user only logs in using | |
| # a known client machine. | |
| # 3. How to verify that client machine contains up-to-date applications | |
| # (such as virus checker) before allowing it to connect to the server. | |
| # | |
| # https://docs.openvpn.net/docs/access-server/openvpn-access-server-post-auth-scripting.html | |
| # https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150/howto-commands/411-access-server-post-auth-script.html | |
| # | |
| # Note that this script requires that the client provide us with information | |
| # such as its MAC address and information about installed applications. | |
| # The Access Server Client will only provide this information to trusted | |
| # servers, so make sure that the client is configured to trust the profile | |
| # which is used to connect to this server. | |
| import re | |
| import ldap | |
| from pyovpn.plugin import * | |
| # regex to parse the first component of an LDAP group DN | |
| re_group = re.compile(r"^CN=([^,]+)") | |
| # regex to parse the major component of a dotted version number | |
| re_major_ver = re.compile(r"^(\d+)\.") | |
| # Optionally set this string to a known public IP address (such as the | |
| # public IP address of machines connecting from a trusted location, such | |
| # as the corporate LAN). If set, all users must first login from this | |
| # IP address, where the machine's hardware (MAC) address will be recorded. | |
| first_login_ip_addr="" | |
| def ldap_groups_parse(res): | |
| ret = set() | |
| for g in res[0][1]['memberOf']: | |
| m = re.match(re_group, g) | |
| if m: | |
| ret.add(m.groups()[0]) | |
| return ret | |
| # this function is called by the Access Server after normal authentication | |
| def post_auth(authcred, attributes, authret, info): | |
| print "********** POST_AUTH", authcred, attributes, authret, info | |
| # default group assignment | |
| group = "default" | |
| # get user's property list, or create it if absent | |
| proplist = authret.setdefault('proplist', {}) | |
| # user properties to save | |
| proplist_save = {} | |
| # set this to error string, if auth fails | |
| error = "" | |
| # When a VPN client connects check if its running iOS | |
| #attributes.get('vpn_auth'): # only do this for VPN authentication | |
| if attributes.get('vpn_auth'): # only do this for VPN authentication | |
| ver = attributes['client_info']['IV_PLAT'] | |
| if ver == "ios": | |
| error = "VPN on iOS is not permitted." | |
| if ver == "mac": | |
| error = "VPN on macOS is not permitted." | |
| # process error, if one occurred | |
| if error: | |
| authret['status'] = FAIL | |
| authret['reason'] = error # this error string is written to the server log file | |
| authret['client_reason'] = error # this error string is reported to the client user | |
| # set the group name | |
| proplist['conn_group'] = group | |
| return authret, proplist_save |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment