How to add users to your OpenVPN Access Server using PAM

Upgrade to Latest Version

Introduction

You have the flexibility to configure user credential authentication for OpenVPN Access Server with the system that suits your needs. Access Server supports PAM, LDAP, RADIUS, and local authentication. For more details, refer to OpenVPN Access Server’s user authentication system.

This document provides an overview of using pluggable authentication modules (PAM) to authenticate Access Server users.

Connect to your server

You manage PAM authentication on the server, typically using the local user accounts in the operating system where you’ve installed Access Server. You can also use an authentication system on a separate server, as long as it’s reachable by Access Server.

To begin, connect to your server. This can be a direct connection, using terminal or bash, or using an app like PuTTY. Connect as a root user or gain root privileges with sudo.

Add new users

Use the following commands for adding users on the server. For the sacli command, ensure you run it from the /usr/local/openvpn_as/scripts/ directory.

  1. Add a user:
    adduser <USERNAME>
    ./sacli --user <USERNAME> --key "type" --value "user_connect" UserPropPut
  2. Set the new user’s password or enter the user information as prompted (depending on your OS version):
    passwd <USERNAME>

Repeat the commands to add more users.

For additional command-line tips for PAM, refer to Authentication options and command-line configuration.

Enable PAM for Access Server Authentication

You have two options for enabling PAM as the OpenVPN Access Server authentication: using the Admin Web UI or the command-line interface. We describe each in the sections below.

Enable PAM in Admin Web UI

You can enable PAM authentication using a graphical user interface (GUI) through the Admin Web UI for your OpenVPN Access Server. You can enable it as the default authentication (global), as the authentication for a group, or for individual users.

Enable PAM as the default authentication:

  1. Sign in to the Admin Web UI.
  2. Click Authentication > Settings.
  3. Under Default Authentication System, click PAM.
  4. Click Save Settings and Update Running Server.

OpenVPN Access Server now uses PAM for authentication.

Enable PAM as the group authentication:

  1. Sign in to the Admin Web UI.
  2. Click User Management > Group Permissions.
  3. Enter a new group name, or find the desired from the existing list group, and click More Settings.
  4. Click PAM for Configure user authentication method.
  5. Click Save Settings and Update Running Server.

Users assigned to that group (in the User Permissions page) now use PAM for authentication.

Enable PAM as a user’s authentication:

  1. Sign in to the Admin Web UI.
  2. Click User Management > User Permissions.
  3. Find the user as entered in the server’s user directory and click More Settings.
  4. Click PAM for Configure user authentication method.
  5. Click Save Settings and Update Running Server.

That user now uses PAM for authentication.

For more information, refer to the Access Server user manual page, Authentication: Settings.

Note: In older Access Server versions, you could enable PAM from Authentication > PAM, but this page no longer exists in the Admin Web UI. We always recommend using the most updated Access Server version.

Enable PAM in the command-line interface

You can also manage PAM authentication with commands referred to on this page: Authentication options and command-line configuration.

How to set specific user permissions

After creating your users on your server, you can grant them specific permissions from the Admin Web UI.

You can grant administrative privileges, allow auto-login profiles, and more:

  1. Sign in to the Admin Web UI.
  2. Click User Management > User Permissions.
  3. From the User Permissions page, grant or revoke permissions for each user.

If you prefer to manage permissions with the command-line interface, refer to Managing user and group properties from command line.