Skip to main content

Tutorial: Setting Up Zero Trust Network Access (ZTNA) with Access Server

Abstract

Implement a Zero Trust VPN model using Access Server. Verify each access attempt to reduce risk and protect your network's sensitive resources.

Overview

Zero Trust Network Access (ZTNA) is a modern security model that enforces “never trust, always verify” for every connection request. Instead of granting broad network access, a Zero Trust VPN setup restricts access to specific applications or resources based on user identity, device posture, and context. In this tutorial, you’ll learn how to configure Access Server to implement ZTNA principles by using modern authentication methods, granular access policies, and network segmentation.

  • Access Server installed and running (version 2.11.0 or later is recommended).

  • Administrative access to the Admin Web UI.

  • A modern authentication method configured (e.g., SAML, RADIUS, or LDAP), with multi-factor authentication (MFA) if desired.

  • A segmented network environment with clearly defined resources.

  • A supported VPN client such as OpenVPN Connect for testing.

  • Basic knowledge of networking concepts (e.g., the OSI model, IP addressing).

  • Objective: Recognize that ZTNA requires verifying every access attempt and enforcing strict policies for each user and device.

  • Action: Document your applications and resources that need protection and identify the user groups requiring access.

Configure modern user authentication:

  1. Sign in to the Admin Web UI.

  2. Click Authentication > Settings.

  3. Choose your preferred method (SAML, RADIUS, or LDAP) and configure the necessary IdP details (e.g., Metadata URL, callback settings).

  4. Enable multi-factor authentication (MFA) to add an extra layer of security during login.

    Tip

    Access Server supports built-in MFA. You can also integrate MFA through your IdP or via plugins that use a post-authentication Python script.

Create user groups and define access policies:

  1. Create user groups based on roles or departments (e.g., Finance, HR, IT).

  2. Create group access control to assign these groups with specific access policies.

    • Define which resources or applications each group can access.

    • Configure restrictions, such as allowed IP ranges.

In Access Server, you can enhance Zero Trust enforcement by using post-authentication scripts to automate access control decisions dynamically. Here are three key ways to extend zero trust with post-auth scripting:

1. Automate group mapping for SAML, LDAP, or RADIUS users

You can dynamically assign users to groups based on their directory attributes when using SAML, LDAP, or RADIUS authentication.

Tutorials:

How it works:

  1. The post-auth script reads user attributes from the authentication response.

  2. It maps users to Access Server groups automatically.

Why it's useful:

  • Ensures users only have access to the resources they need.

  • Eliminates manual group assignments, reducing administrative overhead.

Example: If an LDAP user belongs to the "Finance" department, the script can automatically place them in the "Finance" VPN group with specific access policies.

2. Enforce device identity verification with hardware registration

You can enforce device-based identity verification by requiring users to register their devices before connecting.

Tutorial:

How it works:

  1. The hardware registration post-auth script captures each device's unique identifier (MAC address or UUID).

  2. Access is only granted if the device matches the one registered to the user.

Why it's useful:

  • Prevents unauthorized devices from accessing the VPN, even if login credentials are compromised.

  • Strengthens zero trust by requiring both user identity and device identity.

Example: A user signing in from an unregistered laptop will be denied access, even if their credentials are correct.

3. Implement location-based zero trust access

You can restrict access based on IP location, blocking logins from unknown or unauthorized locations.

Tutorial:

How it works:

  1. The IP address registration post-auth script stores known safe IP addresses for each user.

  2. The connection is denied or flagged if a login attempt comes from an unrecognized IP.

Why it's useful:

  • Prevents unauthorized access from untrusted locations.

  • Mitigates risks from phishing attacks where attackers try signing in from new locations.

Example: A user signing in from a known office location is granted access, but a login attempt from another country is blocked.

How to implement these post-auth scripts

To set up these advanced controls in Access Server, refer to the tutorials for each post-auth script, where you follow these overall steps:

  1. Download the relevant post-auth script from OpenVPN's repository.

  2. Modify the script based on your authentication provider and security policies.

    Integrating multiple post-auth scripts

    Access Server only allows the loading of one post-authentication script.

    • If you need to integrate multiple post-auth functions (e.g., group mapping, hardware registration, and IP-location checks), you must combine them into a single Python script.

    • Ensure you structure all logic properly within the script so the functions execute correctly.

  3. Load the script into Access Server using the sacli tool.

  4. Restart Access Server to apply the changes.

By consolidating multiple post-auth functions into a single script, you can ensure Access Server compatibility and fully implement zero-trust access controls.

  • Objective: Restrict access to sensitive resources by segmenting your network.

  • Action:

    1. Use Access Server's built-in routing and ACL features to limit network paths.

    2. Example: Configure firewall rules or ACLs to allow only the "Finance" group to access internal finance servers on specific subnets.

  1. Simulate network access:

  2. Verify expected behavior:

    • Confirm that only authorized users can access designated resources (e.g., only those in the "Finance" group can access internal finance servers).

    • Attempt unauthorized access to ensure it's blocked.

  3. Review logs:

    • Check Access Server logs to verify that the correct authentication methods and policies are being enforced.

Ensure you refine, review, and document your new ZTNA setup:

  1. Refinement: Based on testing feedback, adjust authentication settings, access policies, and network segmentation rules.

  2. Ongoing Review: Regularly review and update user groups, policies, and MFA settings to adapt your security.

  3. Documentation: Maintain documentation of your ZTNA configuration for future audits and troubleshooting.