Access Server 2.14 versions
Access Server 2.14.1
Release date:
Sep 5, 2024
Added support for RADIUS Message-Authenticator attribute to address CVE-2024-3596.
Added support for metadata v2 on Amazon EC2 instances for the ovpn-init initial setup.
Added back support for custom MFA messages to the new Client Web UI.
Added back the /saml/metadata endpoint on the new Client Web UI.
Added EPKI generic connection profile download and bundling option to new Client Web UI in external PKI mode.
Updated OpenVPN to v2.6.12 to address CVE-2024-5594.
Updated FastAPI library to version v0.110.3.
Updated Access Server EULA to include licenses for new libraries used in new Client Web UI.
Fixed a regression where server agent performance would be significantly reduced on busy 2.14.0 servers.
Fixed a regression where OKTA MFA didn't appear on the new Client Web UI.
Fixed a regression where case-insensitive LDAP authentication before MFA enrollment phase was done could fail.
Fixed a regression on the Admin Web UI with downloading autologin profiles while lacking autologin privileges yourself.
Fixed a regression on the Admin Web UI's SAML and CWS Settings pages where the save settings button could reset settings.
Fixed a regression on the Admin Web UI's User Permissions page where user settings could inadvertently be removed.
Fixed a regression with missing client_ip_address in the authcred dictionary in post_auth.
Fixed a regression with missing request_superuser_privileges and log_service_name in the attributes dictionary in post_auth.
Fixed a regression where prop_deny_web would inadvertently also block VPN authentications.
Fixed a bug in confdba with setting the active configuration profile.
Fixed a bug where repeated successful SAML authentications could trigger an authentication lockout.
Fixed a bug where the MTU setting, as defined in the Access Server configuration, would not be applied to OpenVPN daemons.
Improved the new Client Web UI to hide the Connection Profiles page when Access Server is in External PKI mode.
Improved handling of client installer and connection profile download cases while the XML-RPC API is turned off.
Improved bundling of connection profiles into installers by automatically adding a comment on the server.
Improved the new Client Web UI and the new REST API endpoints to correct minor issues.
Released bundled clients package v31 with Connect v3.5.0.3818 for Windows.
Release date:
Jun 20, 2024
New features:
Introduced a new web framework for the client web service.
Added support for Ubuntu 24.04 LTS (Noble Numbat).
Bug fixes and improvements:
Updated Twisted library to 22.4.
Updated OpenVPN2 core to 2.6.10as1.
Fixed security issue CVE-2024-28882.
Removed bundled web CA for LDAP SSL verification, rely on system certificate store instead.
Removed deprecated Connect v2 client from the web interface. Connect v3 is recommended instead.
Enhanced the
sacli subscriptionstatus
output with additional subscription key details.Fixed an issue with reloading iptables ruleset after
sacli start
.Fixed a bug when building DCO kernel module on Red Hat 9.4.
Released DCO kernel module v0.2.20240712.
Important notes:
Dropped support for CentOS 7, Red Hat 7, and Debian 10 operating systems. These operating systems will reach end-of-life in June 2024. We also dropped support for Amazon Linux 2. We currently recommend using Ubuntu 22.04 LTS or 24.04 LTS, Debian 12, or Red Hat 9.
The client web interface no longer offers OpenVPN Connect v2, as this is a deprecated client. It now offers OpenVPN Connect v3, which is the recommended client program.
The client web interface has been reimplemented in a more modern web framework, but it still looks and works mostly the same. The admin UI will also receive an overhaul in an upcoming release.
A known issue is that users authenticated via RADIUS with MFA challenge (e.g., OKTA with RADIUS agent) can use only auto-push as a multi-factor login. Verification codes, SMS, and emails are not supported as a second factor. OKTA SAML authentication is not affected by this issue. This is resolved in 2.14.1.
A known issue is that accessing the profiles overview in the client web service in external PKI mode shows an error message, as that function is unavailable in external PKI mode. This is resolved in 2.14.1.
A known issue is that creating an autologin profile for another user on the Admin Web UI doesn't work if the admin user doesn't have autologin privileges. This is resolved in 2.14.1.
A known issue is that users of the Duo security post_auth script get a generic message asking for the MFA code instead of the custom message generated by the Duo post_auth script. This is resolved in 2.14.1.
A known issue is that users can't enroll in MFA if they sign in with a username with a different case than the one stored in Windows Active Directory when using LDAP or RADIUS for authentication. This is resolved in 2.14.1
A known issue in 2.14.0 and 2.14.1 is that downloading profiles for usernames with non-Latin characters in the new Client Web UI results in an error. This will be resolved in 2.14.2.
A known issue in 2.14.0 and 2.14.1 is that a combination of MFA done with a RADIUS challenge on top of an MFA challenge done in Access Server (built-in MFA or post_auth MFA) isn't supported. Either one alone works, but the combination doesn't work. This will be resolved in 2.14.2.