Host Checking with Post-Authentication Scripts in Access Server
OpenVPN's Access Server supports host checking using a post-authentication script and a host-checker query file.
Access Server supports host checking using a post-authentication script (PAS) and a host-checker query file. This allows administrators to verify specific conditions on a client device before establishing the VPN session.
With host checking enabled, Access Server can evaluate information provided by the client system, such as:
Operating system details.
Installed software or processes.
System configuration attributes.
Custom-defined host properties.
Host checking can be used to:
Enforce device compliance policies.
Restrict access to managed or approved systems.
Require specific security software to be present.
Apply conditional access rules based on endpoint characteristics.
These checks are performed during the post-authentication hook, after the user has authenticated but before the VPN session is fully established. If the client device does not meet the defined requirements, the connection can be denied.
Important
Host checking is implemented using a custom post-authentication script and query configuration. Administrators are responsible for defining and maintaining the validation logic. Improper configuration may unintentionally block legitimate users or fail to enforce intended security requirements.