Authentication: General

About the Page

Authentication: General gives you the choice of four different options for user authentication. Local, PAM, RADIUS, and LDAP authentication are all available to configure for Access Server.

User Authentication page.

Authenticating Users

Access Server provides four network protocols for authenticating users. Each of these vary in configuration requirements. It will be necessary to configure other settings dependent on the protocol chosen. Each of these protocols will have different databases containing the different user permissions and credentials. For more information about these protocols and how to configure these on the server's command line, read our Authentication options and command line configuration guide.

NOTE: If you have the Access Server configured as a Cluster, user specific settings (all settings for local authentication) will be stored in the MySQL database that you had provided.


By default, Access Server uses Local authentication. With Local auth, Access Server stores user information in a SQLite database included in the package at: /usr/local/openvpn_as/etc/db/userprop.db


There are no configuration options for PAM authentication. If you select PAM, the underlying OS will manage the PAM user credentials. However, there is a page reserved for PAM. Its only purpose is to enable the Access Server to use PAM authentication.


To use RADIUS, you must define two settings after selecting it here. You can configure which RADIUS method to use and you can add the server information. For more details, click here for information on the RADIUS page.


LDAP allows you to configure the Authentication protocol for Lightweight Directory Access Protocol (LDAP) and integrate with other user management systems. For more details, click here for information on the LDAP page.

Google Authenticator

You can enable authentication with Google Authenticator (GA) by choosing Yes. GA is a time-based one-time password authentication system that requires users to provide a single, one-time password with their other credentials in order to gain access to the server. It adds an additional layer of security.

Configure Google Authentication support:

Configure Google Authentication support

When you click on Yes, then Save Settings and Update Running Server, this enables an additional step when clients login to the CWS. After users enter their VPN credentials, they will be required to authenticate with a random, one-time password generated by GA. The user will need to download the GA mobile app on their mobile device, or use a GA browser extension

When a user logs in to the CWS, they will be redirected an additional page prior to accessing the client and profile downloads.

Google Authenticator Step:

Google Authenticator

This page provides a QR code the user must scan with either the mobile app or the browser extension. After scanning, GA will provide the user with a 6-digit code they can enter and hit Confirm Code to complete the login.

For more information about configuring Google Authenticator, please read Google Authenticator multi-factor authentication


Authentication: General is where you choose the the authentication method for users.