Authentication
The Authentication section lets you choose how users verify their identity when connecting to Access Server. You can select the default authentication system, enable MFA, configure lockout policies, and set up integrations with external identity providers.
This section contains five tabs:
General Settings
Local
LDAP
RADIUS
SAML
Access Server provides six user authentication methods: Local, PAM, RADIUS, LDAP, SAML, and PAS-only. Each varies in configuration requirements and has different databases containing different user permissions and credentials.
Important
If you configure an Access Server cluster, user-specific settings for local authentication are stored in the MySQL database for the nodes.
Local | By default, Access Server uses local authentication. With local auth, Access Server stores user information in a SQLite database included in the package at: /usr/local/openvpn_as/etc/db/userprop.db. |
PAM | There are no configuration options for PAM authentication in the Admin Web UI. If you select PAM, the underlying OS manages the PAM user credentials. |
RADIUS | To enable RADIUS, you must configure it under the RADIUS tab. |
LDAP | To enable LDAP, you must configure it under the LDAP tab. |
SAML | To enable SAML, you must configure it under the SAML tab. |
PAS only | To enable post-auth-script-only authentication (PAS only), you must configure it with your own custom post-auth script. For more details, click here for information about PAS-only authentication. |
⚙️ General Settings
Set up default authentication behavior and security policies for your Access Server deployment.
Default authentication system: Select which authentication method will be used by default: Local, LDAP, RADIUS, SAML, PAM or PAS Only.
Require MFA: Toggle multi-factor authentication (MFA) on or off for added login security.
Important
If you enable SAML authentication for any users or groups and require MFA, ensure you configure it with the IdP and not with Access Server. By design, it won’t work to enable MFA in Access Server with the SAML authentication method.
Password lockout policy: Protect against brute-force login attempts:
Failed attempts until lockout occurs: Enter the number of failed login attempts allowed before a user is locked out.
Lockout release timeout in seconds: Enter how long the user will remain locked out before they can try again.
External authentication user registration: Toggle this setting to control whether Access Server creates user entries in the database for externally authenticated users.
On: A user must exist in both the Access Server's local user database and the external server (e.g., LDAP or SAML) to sign in.
Off: If the external server successfully authenticates a user, Access Server will automatically create a user entry in the database.
🔐 Local
Configure settings for local authentication, where user credentials are stored within Access Server.
Password Management:
Allow local users to change password: Toggle whether users can change their passwords via the Client Web UI.
Enforce strong passwords when changing: Enforce complexity rules for passwords during changes.
🧬 LDAP
Enable and configure LDAP authentication to use an external directory service such as Active Directory.
Enable LDAP authentication: Toggle this to enable or disable LDAP as an authentication option.
Important
You can't set LDAP as the default authentication under General Settings until you've configured LDAP and enabled this toggle.
LDAP Settings:
Connect to LDAP servers with SSL: This setting establishes a secure, SSL-protected connection to the LDAP server(s) for all LDAP operations.
Make account names case-sensitive: This setting determines whether authentication matches case sensitivity for the usernames.
Note
If you set case-sensitive to On, each time you try to sign in with a different case username, Access Server creates a new user, for example: admin, Admin, or ADMIN.
Re-verify auto-login user on connect: When enabled, this setting ensures that Access Server re-verifies the user’s presence in the LDAP directory each time they connect using an auto-login profile. If disabled, a user who previously matched an LDAP account and downloaded an auto-login profile could continue connecting—even if their account has since been removed from the LDAP directory.
LDAP Servers:
Primary server: Define the primary LDAP server, either as a hostname or IP address.
Secondary server: (Optional) Define the secondary LDAP server. If present, Access Server attempts to communicate with the secondary server if the connection to the primary server fails.
Authentication: Choose whether to bind anonymously or with credentials.
Authenticate with username/password for initial bind: Toggle on to bind using credentials and enter the Bind DN (username) and Password.
Base DN for user entries: Define the starting point (base distinguished name) in the directory for user searches.
Username attribute: Specify the attribute used for matching usernames (e.g.,
sAMAccountNameoruid).LDAP filter: Optionally provide a filter to narrow search results. You can also use it to require membership in a particular LDAP group (specified by its group DN) for all users permitted to authenticate to Access Server.
📡 RADIUS
Configure RADIUS authentication using one or more RADIUS servers.
Caution
Be aware that auto-login profiles don’t trigger RADIUS authentication and RADIUS accounting requests. The first time a user signs in to download an auto-login connection profile, they can authenticate against the RADIUS server, but after that, auto-login connection profiles authenticate using only a certificate and bypass the RADIUS server's credential-based authentication.
Enable RADIUS authentication: Toggle this to enable or disable RADIUS as an authentication option.
Important
You can't set RADIUS as the default authentication under General Settings until you've configured RADIUS and enabled this toggle.
RADIUS settings:
Enable RADIUS accounting reports: When turned on, Access Server sends accounting requests to the RADIUS server via the accounting port.
Account names are case-sensitive: This setting determines whether authentication matches case sensitivity for the usernames.
Note
If you set case-sensitive to On, each time you try to sign in with a different case username, Access Server creates a new user, for example: admin, Admin, or ADMIN.
RADIUS server: For each server, provide:
Hostname or IP Address: Specify the hostname or IP address for each RADIUS server.
Shared secret: Specify the shared secret. You must configure the RADIUS server with the same shared secret.
Authentication port: Define the port where the RADIUS protocol sends UDP packets. The default port is 1812.
Accounting port: Define the port where the RADIUS protocol listens for accounting requests. The default port is 1813, and the accounting port is only required when you enable RADIUS accounting.
Verify message authenticator attribute: Whether to verify the integrity and authenticity of RADIUS messages from the RADIUS server. The message-authenticator contains a 16-byte HMAC-MD5 hash of the entire RADIUS packet, including the shared secret, ensuring that the packet hasn't been tampered with and is from a trusted source.
Note
Refer to your RADIUS provider documentation for more about this attribute.
RADIUS authentication method: Choose the protocol used for authentication: PAP, CHAP, MS-CHAP v2.
Tip
We recommend using CHAP or MS-CHAP v2. In some situations, using PAP is as secure as the former methods, such as if your VPN doesn’t need to send its traffic over the internet or if you deploy the RADIUS server or agent on the same host where Access Server is running.
🔐 SAML
Set up SAML authentication for identity provider (IdP)-based single sign-on (SSO).
Enable SAML authentication: Toggle this to enable or disable SAML as an authentication option.
Important
You can't set SAML as the default authentication under General Settings until you've configured SAML and enabled this toggle.
SAML Settings
Hostname: The hostname is the Access Server hostname as a service provider. The default is the server's hostname. You can optionally set this to a different, SAML-specific hostname.
Service Provider (SP) identity and URL: Provide this information for Access Server as your Service Provider to the IdP.
AuthNRequest
Send ForceAuthn: Requests the IdP to re-authenticate the user each time.
Send AuthnContexts: Sends context classes such as
PasswordProtectedTransport.VPN authentication timeout (seconds): This timeout determines how long the SAML session is valid. The default is 180 seconds.
Configure Identity Provider (IdP)
Click Configure using metadata URL/file to fetch IdP settings from a remote URL or an uploaded metadata file.
Or enter the IdP settings manually:
IdP Entity ID: Enter the identity provider issuer or identifier.
SSO (Single Sign-On) Endpoint: Enter the identity provider's single sign-on URL or login URL.
Log-out Endpoint (optional): Enter the optional log-out URL.
Certificate (PEM format): Enter the IdP certificate as text.
SP Certificate and key (optional): Optionalliy provide a certificate and private key for signing SAML requests from Access Server's service provider.