Tutorial: How to Change the Authentication Mode in the Command-Line Interface

Abstract

Access Server supports local, PAM, LDAP, RADIUS, and SAML authentication modes you can set from the command line.

Overview

Access Server supports multiple authentication methods you can manage from the Admin Web UI or the command-line interface (CLI). This tutorial provides information about changing the authentication mode from the CLI.

Prerequisites

An installed Access Server.
Running the commands from the server's console and get root privileges from the /usr/local/openvpn_as/scripts/ directory.
RADIUS, LDAP, or SAML authentication configured before setting as the default mode.

Step 1: Set the authentication mode

Set the authentication mode:
```
./sacli --key "auth.module.type" --value "<MODE>" ConfigPut1
./sacli start
```
1
MODE can have these values: local; pam; radius; ldap; saml.

Important

Ensure you configure RADIUS, LDAP, or SAML before setting them as the authentication mode.

Step 2: Configure multiple authentication methods (optional)

Access Server 2.10 and newer supports multiple authentication methods. For instance, your admin users can sign in with credentials stored in the local database while your end users authenticate against an LDAP server. The above command sets the default authentication mode. You can allow LDAP, RADIUS, or SAML authentication for defined users or groups with the below commands:

Allow LDAP authentication for users and groups:

./sacli --key "auth.ldap.0.enable" --value "True" ConfigPut
./sacli start

Allow RADIUS authentication for users and groups:

./sacli --key "auth.radius.0.enable" --value "True" ConfigPut
./sacli start

Allow SAML authentication for users and groups:

./sacli --key "auth.saml.0.enable" --value "True" ConfigPut
./sacli start

In this section: