Skip to main content


You can extend Access Server's built-in authentication methods using a post-auth Python3 script to add additional user connection requirements, such as MFA or other custom checks. You can also use a post-auth script to implement your own custom authentication method. These post-auth script implementations are Access Server plugins.

This topic provides information about the different post-auth options and various post-auth scripts you can download from our site and customize for your system


What is a post-auth script?

Post-auth means post-authentication. It uses a custom Python3 script loaded into Access Server to add additional checks and challenges, such as hardware address checking or custom multi-factor authentication.


Access Server has a built-in TOTP MFA feature you can turn on right from the Admin Web UI. You follow this tutorial: Turn on TOTP multi-factor authentication.

These tutorials can help get you started with post-auth scripts:

Post-auth scripts available

You can follow the tutorials below to implement one of the various post-auth scripts available to customize authentication.

Table 1. Post-auth script tutorials

Hardware Address Registration

Tutorial: How to set up Hardware Address Checking with a Post-auth Script

  • Access Server requests a MAC address or UUID from the OpenVPN client to authenticate with hardware addresses after username and password.

  • The script supports automatic address registration by default.

  • It can also run in manual mode, in which you must manually add approved hardware addresses on the server for users and their devices.

PAS-only custom authentication script

Tutorial: Create a Custom Authentication System with a Python Script

  • Using a properly configured post-auth script, you can implement an entirely new custom authentication method in Access Server.

  • The script indicates that it doesn’t need the Access Server to handle authentication by setting the AUTH_NULL parameter to true and must then manage authentication in the script. You then set this authentication method for specific users or groups or as the default authentication method.

  • You can use the custom authentication method against any credential or authentication backend that Access Server doesn’t support out of the box.

LDAP group mapping script

Tutorial: How to Set Up LDAP Group Mapping with a Post-auth Script

  • You can assign users to Access Server groups so they inherit specific access rules and settings, a task you can automate using our LDAP group mapping script.

  • Suppose you assign users in your LDAP directory server to groups using the group membership property memberOf. In that case, you can use the memberOf property in a post-auth script when a user signs in to Access Server.

  • Based on rules you must define in the post-auth script, you can automatically have users in specified LDAP groups assigned to specified Access Server groups when they authenticate.

RADIUS group mapping script

Tutorial: How to Set Up RADIUS Group Mapping with a Post-auth Script

  • You can assign users to Access Server groups so they inherit specific access rules and settings, a task you can automate with the RADIUS group mapping script. You can also include other settings in the script based on particular RADIUS properties.

  • Users in a RADIUS server can be part of groups with specific properties set. The post-auth script reads and uses these properties to automatically apply group membership and other settings.

  • The post-auth script is primarily designed for Windows Server and mapping users to Access Server groups but may also work on other RADIUS solutions.

SAML group mapping script

Tutorial: How to Set Up SAML Group Mapping with a Post-auth Script

  • You can assign users to Access Server groups with specific access rules and other settings inherited from the group, a task you can automate with our SAML group mapping script.

  • Users in the SAML IdP can be part of groups. You must configure this property on the SAML IdP; we provide tutorials for configuring SAML, and this property is usually the group property you can use in the post-auth script when a user logs in at the Access Server.

  • Based on the rules you define in the post-auth script, you can automatically assign users in specified SAML groups to specified Access Server groups when they log in at the Access Server.

Duo 2FA

Tutorial: Add Duo Two-Factor Authentication to Access Server

  • You can integrate Access Server with Duo and add two-factor authentication options such as SMS, push notifications, Yubikey, etc.

  • If you use PAM, RADIUS, LDAP, or local authentication, you can use the provided post-auth script to integrate Duo Security into Access Server.

  • To set this up, you download the Duo Security post-auth script for OpenVPN Access Server from GitHub, add an API key obtained from Duo Security into the script in the appropriate section, and load the script into the Access Server.


If you use SAML authentication, you must integrate Duo Security into your SAML solution rather than using the custom script.

Restrict by IP address

Tutorial: Restrict by IP Address with the Post-auth IP Restrict Script

  • You can create a post-auth script restricting users based on their IP addresses.

  • The sample script automatically registers an IP address for a user when they first authenticate and restricts their access to the registered IP address.

  • Users are denied access if they sign in from a new IP address.

LastPass 2FA

OpenVPN Access Server VPN configuration for LastPass Universal Proxy

  • Integrate your server with LastPass's two-factor authentication solution.

External public key infrastructure

A plugin option separate from the post-auth function is Access Server's external public key infrastructure (PKI). This feature allows you to integrate Access Server with third-party tools for X509 PKI management instead of using the built-in certificate management capabilities.