Using X.509 Attributes in Post-Authentication Scripts
OpenVPN's Access Server supports using X.509 certificate attributes to make policy decisions during login.
Access Server supports using X.509 certificate attributes within a post-authentication script (PAS) to make policy decisions during login. This allows administrators to evaluate certificate fields — such as subject attributes, extensions, or custom fields — and apply custom access logic before a VPN session is established.
With X.509-based logic in a post-authentication script, you can:
Allow or deny connections based on certificate attributes.
Apply role or group assignments dynamically.
Enforce organization-specific certificate policies.
Validate certificate metadata beyond standard authentication checks.
The evaluation occurs during the post-authentication hook, after the certificate has been validated but before the VPN session is fully established. If the defined conditions are not met, the connection can be denied or modified according to the script logic.
Important
X.509 attribute enforcement is implemented using a custom post-authentication script. Administrators are responsible for correctly parsing certificate data and defining secure validation logic. Improper implementation may result in unintended access restrictions or security gaps.