How is user authentication and management handled?

OpenVPN Access Server supports many authentication systems: local, LDAP, RADIUS, SAML, and PAM.

These are the five available authentication systems:

  • Local: The built-in, local authentication system.
  • LDAP: Lightweight directory access protocol for querying user information from tools such as Active Directory, OpenLDAP, and others.
  • RADIUS: Remote authentication dial-in user service protocol for authenticating remote users in a system such as JumpCloud, Okta, and others.
  • SAML: Security assertion markup language using XML to transfer identity data from a system such as Azure AD, OneLogin, and others.
  • PAM: Pluggable authentication modules, a centralized authentication in Linux where you manage the user accounts in the operating system of the server where you’ve installed Access Server.

Local authentication

Local authentication is the default system. Local relies on a built-in database to store user data. You manage your users, groups, and preferences in the Admin Web UI or the command-line interface.

LDAP, RADIUS, SAML, and PAM authentication

You can configure OpenVPN Access Server to authenticate against external authentication systems using LDAP, RADIUS, SAML, or PAM.

Many directory services work with LDAP, RADIUS, and SAML, just as Access Server does. You can configure Access Server to authenticate against the directory service with your preferred protocol. We provide guides on our site to help with the setup for many common providers. However, our guides don’t cover all possible scenarios and providers.

LDAP:

RADIUS:

SAML:

PAM: 

Mixed authentication

You can mix authentication systems, such as creating a VPN admin user authenticating against the local database while your users authenticate against an identity provider configured with SAML.

For more details, refer to OpenVPN Access Server’s user authentication system.