User Management: User Permissions

ON THIS PAGE

About the Page

User Management: User Permissions is where you adjust all user configurations for Local Authentication. You can adjust the users’ passwords, assign users to groups, grant or remove the user’s admin status, and ban users from the server. Before configuring any of the user permissions, you should configure your server’s Authentication first.

User Permissions page:

user permissions page

User Permissions

This page provides you with a table to configure user permissions by simply checking a box. Under More Settings additional configuration options for each user. To finalize any changes, click the Save Settings button or else they are not saved.

Username

This is the display of the username. On the last row in the table, you’ll find a text field, New Username, where you can input a new user. Whenever you add a new user, you must click the Save Settings button.

Group

All configured groups from User Management: Group Permissions will be available from the drop-down menu. You may assign each user to a group or leave without a default group. When a user is in a group, they inherit the configuration of the group, which includes admin access, auto-login, assigned IP addresses, access control, and client scripting.

Admin

Check this box to grant access to the Access Server Admin Web UI.

Allow Auto-login

Check this box to enable auto-login profiles. This is a client configuration that enables connecting to the VPN without authenticating with a password. This is useful to connect Gateway Clients or machines that should always have a VPN connection.

Deny Access

Check this box to revoke a user’s privileges.

Delete

Check this box to delete a user record. Admin privilege users cannot be deleted by the UI.

More Settings

More settings can be configured by clicking the edit icon. Many of these settings are user specific, therefore these settings will take precedence over any global settings.

More Settings

Local Password

You can manage some password options for each user here. Enter the local password they will authenticate with when attempting to connect to the Access Server in the Password field. Below that, choose whether to allow password changes and/or enable password strength checking in the Client Web Server (CWS).

Allow password change from CWS:

  • Default = Inherit the group or global setting (defined in group permissions or in CWS settings).
  • Yes = user can change their password after logging in to the CWS.
  • No = user will not have an option to change their password and it must be managed by you or another administrator.

Enable password strength checking in CWS:

  • Default = Inherit the group or global setting as they are defined in group permissions and/or CWS settings.
  • Yes = user must create a new password that validates with these rules: must be at least 8 characters and must contain a digit, an Uppercase letter, and a symbol from !@#$%&’()+,-/[\]^_{|}~<>.
  • No = user can create any password of any length that they choose.

Select IP Addressing

There are two options for IP addressing: Static and Dynamic. Selecting dynamic will pull and address from the subnets configured in VPN Settings. If you select Use Static, a text box, VPN Static IP Address  displays. Enter the static IP address that will be assigned to the user when the VPN connection is made. It must be within the subnet defined in VPN Settings. To read how to properly define a static IP address for your users, refer to Assigning a static VPN client IP address to a user guide.

Access Control

You can define the routing for a specific user’s client here and grant access to specific subnets. Doing so at the user level will take precedence over any global settings. Routing is globally configured on VPN Settings or can be inherited from Group Permissions

Allow Access From

This setting allows you to configure user access from server-side subnets and from other VPN clients. 

VPN Gateway

You can configure a user to act as a gateway for the VPN server. This allows users from the VPN to access local machines and services on the LAN that the VPN Gateway sits on. By clicking Yes, a text box displays where you enter the subnets that the client will serve as a gateway for.

DMZ Settings 

This settings allows you to permit traffic from the Access Server to the client on a specific port using a specific service.

Configuring User Permissions on the Command Line

User settings can also be managed from the command line. For example, to add new user named “newuser” you will need to navigate to /usr/local/openvpn_as/scripts; this is a directory that should be present on your server where you installed Access Server. Then execute the script with the following parameters:

root@vpn:/usr/local/openvpn_as/scripts# ./sacli --user newuser --key type -v user_connect UserPropPut

Please click here if you would like more information about command line configuration.

Summary

User Management: User Permissions allows for the admin to easily configure user-specific settings. It gives you control of which users have access to the web server, types of routing the individual clients use, the authentication of the user and much more. It is also possible to configure user settings on the command line in the server where Access Server is installed. The following section is very similar in which you will be able to configure permissions at the Group level.