Access Server 2.10 versions
Notice
Release date: May 10, 2022
Improved debug logging output for OpenVPN daemons.
Improved logging by redacting MySQL password from upgrade log output.
Fixed a regression where a RADIUS healthcheck function would prevent RADIUS from functioning correctly.
Fixed a regression where the web interface would endlessly redirect.
Fixed a bug where newly registered users on external authentication would not inherit prop_deny flag.
Fixed a bug where autologin profile would be removed if permission was revoked on user but still present on group.
Fixed a bug that could occur on upgrades when LDAP account validity check was explicitly enabled.
Released bundled clients package v25 with Connect v3.3.6.4368 for macOS.
Notice
Release date: Mar 22, 2022
Dropped support for CentOS 8 due to end-of-life of platform.
Fixed security issue where empty or no host header could reveal internal IP of server.
Fixed a regression where web server name defaulted to internal Twisted version.
Fixed a regression where /robots.txt was malformed.
Fixed a regression that prevented profile download in combination with Duo post_auth script.
Fixed a regression that prevented concurrent authentication requests with default settings.
Fixed a regression where RADIUS accounting start packet was not sent upon VPN connection.
Fixed a regression where local user could not change password if local is not the default auth method.
Fixed a regression where data channel cipher was upgraded unintentionally for specific old configurations.
Fixed a bug in the additional LDAP account validity check for autologin users.
Fixed a bug where LDAP/RADIUS could inadvertently end up being disabled in the Admin UI.
Updated Admin UI authentication section and related settings.
Improved error handling of trying to set local password on non-local account.
Added status of authentication methods in sacli command line tool.
Added upgrade debug information by default.
Released bundled clients package v23 with Connect v3.3.6.2752 for Windows.
Released bundled clients package v24 with Connect v3.3.5.4310 for macOS.
Notice
Release date: Jan 12, 2022
Fixed an open redirect security issue with the referrer HTTP header.
Fixed an assertion failed crash in the OpenVPN2 core.
Fixed a bug where MFA enrollment could be bypassed by an administrative user.
Fixed a bug where FIPS mode on RedHat, CentOS, and Amazon Linux, would prevent Access Server from working.
Fixed a bug where the Client Web UI didn't work if XML-RPC and web service forwarding were both turned off.
Fixed a bug where the Change Password button was visible for externally authenticated users.
Fixed a bug where unlisted externally authenticated users were added with the 'deny' flag set on them.
Fixed a bug where session IP lock was still applied in a specific case while this was deprecated.
Fixed a bug where ovpn-init summary showed wrong username when a custom username was specified.
Fixed a bug where certain upgrade steps would not run as expected.
Fixed a bug where configurations using ns external certificate types would no longer work.
Fixed a bug where TLS security level would not be correctly set to TLS 1.2 in some cases.
Fixed a bug where a restart notification would not appear on a cluster after configuring RADIUS.
Updated hashing method for new local user passwords from unsalted SHA256 to salted PBKDF2.
Improved Admin Web UI by greying out authentication options that are not enabled.
Improved error handling for the upload function for offline activation.
Added sacli to path so it can be called from anywhere.
Added ConfigReplace function to sacli for text-file based configuration dumping and loading.
Released bundled clients package v22 with Connect v3.3.4.2600 for Windows and Connect v3.3.3.4163 for macOS.
Notice
Release date: Nov 25, 2021
New features:
Added feature to use multiple authentication methods, which can be set per user and group. Refer to Authentication System for details.
Added new internal upgrade tracking logic designed to ensure smoother upgrades in the future.
Added separate software repository for RHEL 8 operating system.
Added support for Debian 11 (Bullseye).
Added field to activation screen to ease offline activation of fixed license keys.
Added re-verification check on LDAP account validity for autologin accounts.
Bug fixes and improvements:
Replaced Diffie-Hellman key with recommended DH groups as defined in RFC7919.
Deprecated default openvpn admin bootstrap account, new installations will use a local admin user.
Fixed a bug when upgrading from Access Server version 2.6.1 to 2.9.5 and newer.
Fixed a bug when upgrading with a 9+ year old certificates database.
Fixed a bug where group assignment would become explicit instead of inheriting default group.
Fixed a bug where default group dropdown might show different group than the currently set group.
Fixed a bug where wrong MIME-type was sent when obtaining connection profile via REST API.
Fixed a bug where ovpn-init picked incorrect option for interface/IP selection.
Changed default for lockout policy from 3 failed attempts to 5 failed attempts before triggering.
Changed bootstrap account behavior to no longer bypass MFA or lockout requirements.
Released bundled clients package v21 with Connect v3.3.3.2562 for Windows and Connect v3.3.2.4125 for macOS.
Important notes:
Bootstrap accounts now no longer bypass MFA or lockout requirements. If you have MFA enabled globally on your server you may have to enroll bootstrap accounts in MFA on the client web service or disable MFA requirement for that account. On upgrades bootstrap accounts configured in as.conf will continue to authenticate via PAM.
For RHEL 8 we now use a separate software repository. Use the new repository for installations and upgrades for RHEL8.
For CentOS 8 we will soon cease to build Access Server releases due to planned EOL of that OS.
If you choose to use the new multiple authentication methods feature please note that your post_auth scripts may need to be adjusted.
Duo MFA enrollment message is not shown on admin web service. You may use the client web service or Duo's site to enroll admin users for Duo MFA.
On AS 2.10.2 and 2.10.3, AUTH_NULL custom post_auth authentication system does not work. This is mostly restored in AS 2.11.0.