Tutorial: How to Adjust Access Server's Session Tokens
How to change Access Server's settings for session tokens.
Overview
Access Server implements session-token-based authentication. After a normal successful authentication, the server sends a session token to the VPN client. Each time the VPN client must authenticate again, it offers this session token to the server. If the session token passes validation checks on the server side, the client is allowed to resume the VPN session.
This tutorial shows how to adjust session token settings from the command-line interface (CLI).
An installed Access Server.
Console access and the ability to get root access.
Start by learning about how session tokens work by reading our detailed topic:
Connect to the console and get root privileges.
Switch to the scripts directory:
cd /usr/local/openvpn_as/scripts/
Use the following commands to adjust the default session token values and define new behavior:
Set the session token timeout in seconds (default 86100 seconds or approximately 24 hours):
./sacli --key "vpn.server.session_expire" --value <SECONDS> ConfigPut ./sacli start
Remove this value to reset it to default:
./sacli --key "vpn.server.session_expire" ConfigDel ./sacli start
Change the mid-session TLS renegotiation period (default 360 minutes or six hours):
./sacli --key "vpn.tls_refresh.interval" --value <MINUTES> ConfigPut ./sacli start
Restore this value to default by deleting it:
./sacli --key "vpn.tls_refresh.interval" ConfigDel ./sacli start
Important
If you set the value to an extremely high setting, such as 99999999999, it effectively disables the session token expiration. We advise against this. If you need a session never to require authentication use auto-login type profiles as they do not use session tokens.