Adding and Configuring Users
ON THIS PAGE
About the page
Once you have installed Access Server on your server, you’ll need to set up users with access. The Admin Web UI provides an admin a clean interface for managing access control for your users by adding or remove credentials, configuring rights for sub-networks, and managing privileges. This guide will step you through the process of adding and configuring users through the Admin Web UI.
Configuring User Authentication
Before adding or editing the user access, we advise that you configure your server’s method of authentication. Access Server supports four different protocols: Local, PAM, RADIUS, and LDAP. If you decide to use the local authentication or PAM, then you can simply continue through this guide. However, if you decide to authenticate using RADIUS or LDAP, you need to adjust some configuration settings in Access Server to properly authenticate. Please read our Admin Web UI manual pages for RADIUS or LDAP for detailed information. If you wish to configure these settings via the command line, please read our Authentication options and command line configuration guide.
Configuring VPN Network Settings
Before adding or editing the user access, make sure to configure the sever’s network settings. If you have use cases or requirements that users have static IP addresses or limited access to specific subnets, these must be properly configured. To learn how to configure these settings in the Admin Web UI, read the Configuration: Network Settings, Configuration: VPN Settings, and Configuration: Advanced VPN pages. If you are unsure of some of the networking concepts, or you simply need to review, please read Some basic networking concepts simplified article.
Add/Edit Users and Admins
The following steps explain how to add users and change their credentials. It is a brief overview to get you started. For more details, please read the User Management sections in Access Server Admin Web UI manual.
- Click User Management located in the blue side bar.
- Click User Permissions.
To add a new user, go to the last row in the table of users and click in the New Username text box:
- Enter desired username for the new account.
Configure the settings for the new user using the check boxes.
- Click the Admin checkbox to promote the user to an Admin.
- Click Allow Auto-login to allow the user profile to always attempt to maintain a connection to Access Server.
- Click the Deny Access checkbox to prevent the user profile from gaining access to the server.
- Click the Delete checkbox to remove the user profile from Access Server.
To add a password for the user profile:
- Click on the More Settings icon.
- In the field labeled Local Password, enter the new user password.
Edit User IP Addressing and Access Control
You can create more granular access control for a user profile once you’ve set them up with an account. The Admin Web UI makes it easy to grant or limit access to specific networks. These examples will provide you with ways you can configure a user profile for such use cases.
- You can choose whether users are dynamically assigned an IP address or have a static IP designated for their connection. When you assign a Static IP Address for a user, it must be within the network defined in Configuration: VPN Settings:
- You can choose to limit a user to one-directional traffic (NAT) or allow traffic from both the server and client (Routing). Simply choose which option you would like. For more information about the differences between NAT and Routing, please click here.
- To limit a user to specific networks, input the network into the Allow Access To these Networks text-box. The user will only be able to access these sub-networks when this is defined:
- The user profile can be configured as a VPN Gateway client. You will be required to define the specific subnets for which the client will serve as a Gateway. You will also need to enable the the setting Should clients be allowed to access network services on the VPN gateway IP address? which can be found in the Routing section of Configuration: VPN Settings. The image below shows an example of a user client defined as a Gateway client for a specific subnet:For more information about configuring a VPN Gateway, please read How to configure a host as a gateway for client side subnets.
- The DMZ settings will allow Access Server to permit traffic from the server to the client. The IP address, port, and service must be specified here. The image below shows how an Access Server node with the IP address of 192.168.102.111 can send traffic to the user client using the TCP protocol on port 80:
Save and Commit the Settings
You must save all changes in order to properly allow these changes to persist. To save all changes, click the Save Settings button to finalize all your changes:
Simply saving the settings will not guarantee that your changes will be updated in the server. If the changes are made in a configuration file that is not the Active Profile, these changes will not be applied until you have assigned the current configuration profile as the Active Profile.
Please read Tools: Profiles in this guide for more information about configuration profiles in the Admin Web UI.
The settings will not be applied immediately until access server has had a chance to restart the relevant components. You can do so by clicking Update Running Server button or by rebooting your server on the command line.
Concurrent Users and Licenses
Access Server allows up to two concurrent users to connect to the server without requiring licenses. These free connections are provided to test Access Server for a multitude of reasons. If you need more than two concurrent connections to your server, you will need to purchase a license here. For information about purchasing and activating a license, please read the Purchasing and activating a license key guide. For information about the License page on the Admin Web UI, please read the Configuration: Activation page of the OpenVPN Access Server Admin Web UI manual.
Connecting users to your server is one of the primary goals of setting up a VPN. The Admin Web UI makes adding and editing user profiles a quick and simple task. You have the capability to edit their status and grant access and privileges as long as the settings fall under the constraints defined by the server and the defined network.