Tutorial: Manage Token URLs from the Command-line Interface
What is the authentication token URL for VPN clients? Learn how to work with this Access Server feature.
Overview
A new feature introduced with Access Server 2.11 is the token URL. It is a method of providing a connection profile to a user’s OpenVPN client. This document provides details and some use cases.
This tutorial shows how to work with token URLs from the command-line interface (CLI).
Related tutorials:
An installed Access Server.
Console access and the ability to get root access.
Sign in to the Access Server console and get root privileges.
Switch to the scripts directory:
cd /usr/local/openvpn_as/scripts/
Run commands from the following sections for user, auto-login, and server-locked profiles. Refer to the Connections Profiles topic to read about the differences.
Run this command to generate a user-profile token URL:
./sacli --user <USER> AddProfileToken
The command adds a new token and provides the URL to download the profile, for example:
Added token, import URL openvpn://import-profile/https://123.456.78.90/rest/GetProfileViaToken?token=VKIn2qMCyGHgOjBVstqbh1foSNnsUBhK
You can now paste the token into a browser and a message pops up to open OpenVPN Connect.
OpenVPN Connect confirms you want to import a profile from the provided domain.
When confirmed, OpenVPN Connect imports the profile for your user.
Run the command appropriate for your Access Server version to generate an auto-login user profile:
Access Server 2.12 and newer:
./sacli --user <USER> --profile_type="autologin" AddProfileToken
Access Server 2.11.x and older:
./sacli --user <USER> --token_profile="autologin" AddProfileToken
If the user has auto-login permissions, the command adds a new token and provides the URL to download the profile.
Note
If the user doesn't have auto-login permissions, the command returns an error message stating, "need autologin."
Run the command appropriate for your Access Server version to generate a server-locked profile:
Access Server 2.12 and newer:
./sacli --user <USER> --profile_type="server-locked" AddProfileToken
Access Server 2.11.x and older:
./sacli --user <USER> --token_profile="server-locked" AddProfileToken
Use the provided URL to download the server-locked profile.
Run this command to generate a token URL with a specific expiration time:
./sacli --user <USER> --token_expire="1200" AddProfileToken
The command adds a new token that expires 1200 minutes after creation and provides the URL to download the profile.
If a user tries to enter the URL in their browser after the expiration, the browser will still prompt them to open OpenVPN Connect and import the profile but then receive an error. You can find an error message in your log stating that the token isn’t in the database.
Run this command to generate a token URL that can be used a specified number of times:
./sacli --user <USER> --token_usage_count="3" AddProfileToken
The command adds a new token with three allowable usages and provides the URL to download the profile.
Each time a user downloads a profile with the provided URL, the usage number counts down until it reaches zero, and you can no longer use the token to download a profile.
Run this command to list the current profile tokens:
./sacli ListProfileTokens
You should see any newly generated tokens in the list. The list includes the token, type, usages, expiration, and username — only currently valid tokens display.
Once a token expires, you must issue a new token, and the expired token won’t be in the list anymore.
Run the command to list the current profile tokens (above).
From the token list, copy the generated token you want to delete.
Run this command, replacing <token> with the copied token from the list:
./sacli --id <token> DeleteProfileToken
The token is deleted.