Access Server Admin Guide: Authentication Settings

About the Page

The Authentication: Settings page gives you configuration options for user authentication options, including a local database or external systems using PAM, RADIUS, LDAP, SAML, or a custom post-auth script.

Default Authentication System

Access Server provides six user authentication methods: local, PAM, RADIUS, LDAP, SAML, and PAS-only. Each of these varies in configuration requirements and has different databases containing different user permissions and credentials. Refer to Authentication options and command-line configuration guide for advanced configuration using the command line.

Note: If you configure a cluster of Access Servers, user-specific settings for local authentication are stored in the MySQL database for the nodes.

Local

By default, Access Server uses local authentication. With local auth, Access Server stores user information in a SQLite database included in the package at: /usr/local/openvpn_as/etc/db/userprop.db

PAM

There are no configuration options for PAM authentication in the Admin Web UI. If you select PAM, the underlying OS manages the PAM user credentials.

RADIUS

To enable RADIUS, you must configure it under Authentication: RADIUS. For more details, click here for information on the RADIUS page.

LDAP

To enable LDAP, you must configure it under Authentication: LDAP. For more details, click here for information on the LDAP page.

SAML

To enable SAML, you must configure it under Authentication: SAML. For more details, click here for the information on the SAML page.

PAS only

To enable post-auth-script-only authentication (PAS only), you must configure it with your own custom post_auth script. For more details, click here for information about PAS-only authentication.

Local User Passwords

user password strength screenshot

Here you can configure password options for any users authenticating via the local authentication system:

  • Allow local users to change password: Determines whether your users can change their passwords on the Client Web UI.
  • Enforce strong passwords when changing: Determines whether users can create any password of any length they choose or if they must meet rules for strong passwords which include eight characters in length, contain a digit, contain an uppercase letter, and contain a symbol from !@#$%&’()+,-/[\]^_{|}~<>.

External User Registration

You can configure whether Access Server automatically registers external users who have access from a configured, external authentication system you set as the default.

Deny access to unlisted accounts by default:

  • No: Access Server grants access. The user successfully authenticates with the external system, Access Server grants access, and automatically adds the user to the User Permissions table. This is the default setting.
  • Yes: Access Server denies access. The user successfully authenticates with the external system but doesn’t exist in Access Server’s user permission table, so Access Server denies access.

TOTP Multi-Factor Authentication

Time-based one-time passwords (TOTP) give you an added layer of login security when enabled. You can use the TOTP system of your choice to add multi-factor authentication for your Access Server users, such as Google or Microsoft Authenticator.

Enable TOTP MFA by setting the toggle to Yes and saving. Once enabled, your users enroll from the Client Web UI to scan a QR code or enter the enrollment code into a TOTP MFA app.

To enable TOTP MFA for specific users and groups, refer to User Permissions and Group Permissions.

Note: If you enable SAML authentication for any users or groups and require TOTP-based MFA, ensure you configure it with the IdP, and not with Access Server. By design, it won’t work to enable TOTP MFA in Access Server with the SAML authentication method.

Password Lockout Policy

The password lockout policy protects your server by locking a user after repeated failed authentications. By default, the lockout triggers when a wrong password is entered five times consecutively within 15 minutes. You can modify the number of allowed attempts or the lockout time frame by changing these settings here:

  • Failed attempts until lockout occurs: The number of times a user can try an incorrect password before being locked out.
  • Lockout release timeout in seconds: How long a user is locked out after reaching the set failed attempts in seconds (900 seconds = 15 minutes).

Summary

The Authentication: Settings page provides an easy interface for defining authentication configurations for some local and external authentication settings.