Tutorial: How to Adjust Access Server's Session Tokens
How to change Access Server's settings for session tokens.
Overview
After a successful authentication, Access Server issues a session token to the VPN client. The client presents this token each time it needs to re-authenticate. — for example, during TLS key renegotiation or after a brief connection interruption — so the user doesn't need to re-enter their credentials mid-session.
This tutorial shows how to adjust session token settings from the command-line interface (CLI).
An installed Access Server.
Console access and the ability to get root access.
Start by learning about how session tokens work by reading our detailed topic:
Connect to the console and get root privileges.
Switch to the scripts directory:
cd /usr/local/openvpn_as/scripts/
Use the following commands to adjust the default session token values and define new behavior:
Set the session token timeout in seconds (default 86100 seconds or approximately 24 hours):
./sacli --key "vpn.server.session_expire" --value <SECONDS> ConfigPut ./sacli start
Restore this value to the default by removing it:
./sacli --key "vpn.server.session_expire" ConfigDel ./sacli start
Change the mid-session TLS renegotiation period:
./sacli --key "vpn.tls_refresh.interval" --value <MINUTES> ConfigPut ./sacli start
Note
As of Access Server 2.9.3, the renegotiation default value is 60 minutes (1 hour). Previous versions used 360 minutes (6 hours). When you upgrade Access Server from an older version, the renegotiation value stays the same.
Restore this value to the default by removing it:
./sacli --key "vpn.tls_refresh.interval" ConfigDel ./sacli start
Important
If you set the value to an extremely high setting, such as 99999999999, it effectively disables the session token expiration. We advise against this. If you need a session that never requires authentication, use auto-login profiles instead, as they don't use session tokens.