Skip to main content

Tutorial: How to Add Users to Your Access Server Using PAM

Abstract

Add VPN users for Access Server using pluggable authentication modules (PAM) on your Linux OS.

Overview

You can configure user credential authentication for Access Server with the system that suits your needs. Access Server supports PAM, LDAP, RADIUS, SAML, and local authentication. For more details, refer to the authentication system topic.

This topic provides an overview of using pluggable authentication modules (PAM) to authenticate Acess Server users.

Prerequisites

  • An installed Access Server.

  • Console access and the ability to get root access.

Step 1: Connect to your server

You manage PAM authentication on the server, typically using the local user accounts in the operating system where you’ve installed Access Server. You can also use an authentication system on a separate server, as long as it’s reachable by Access Server.

  1. Connect to your server.

    • This can be a direct connection, using a terminal or bash, or using an app like PuTTY.

  2. Connect as a root user or gain root privileges with sudo.

Step 2: Add new users

  1. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  2. Add a user:

    adduser <USERNAME>
./sacli --user <USERNAME> --key "type" --value "user_connect" UserPropPut

  3. Set the new user’s password or enter the user information as prompted (depending on your OS version):

    passwd <USERNAME>

  4. Repeat the commands to add more users.

For additional command-line tips for PAM, refer to Tutorial: Manage the PAM Authentication Method from the Command-line Interface.

Step 3: Enable PAM for Access Server authentication

You have two options for enabling PAM as the Access Server authentication: using the Admin Web UI or the command-line interface. We describe each in the sections below.

Note

In older Access Server versions, you could enable PAM from Authentication > PAM, but this page no longer exists in the Admin Web UI. We always recommend using the most updated Access Server version.

Enable PAM in the Admin Web UI

You can enable PAM authentication using a web-based interface through the Admin Web UI for your Access Server. You can enable it as the default (global) authentication, for a group, or for individual users.

Enable PAM as the default authentication

  1. Sign in to the Admin Web UI.

  2. Click Authentication > Settings.

  3. Under Default Authentication System, click PAM.

    • Access Server now uses PAM for authentication.

Enable PAM as the group authentication

  1. Sign in to the Admin Web UI.

  2. Click User Management > Group Permissions.

  3. Enter a group name or find the desired group from the existing list.

  4. Click More Settings.

  5. Click PAM for Configure user authentication method.

    • Users assigned to that group (in the User Permissions page) now use PAM for authentication.

Enable PAM as a user's authentication

  1. Sign in to the Admin Web UI.

  2. Click User Management > User Permissions.

  3. Find the user as entered in the server's user directory.

  4. Click More Settings.

  5. Click PAM for Configure user authentication method.

    • That user now uses PAM for authentication.

Enable PAM in the command-line interface

You can also manage PAM authentication with commands referred to on this tutorial: Tutorial: Manage the PAM Authentication Method from the Command-line Interface.

Step 4: Set specific user permissions

After creating your users on your server, you can grant them specific permissions from the Admin Web UI.

You can grant administrative privileges, allow auto-login profiles, etc:

  1. Sign in to the Admin Web UI.

  2. Click User Management > User Permissions.

  3. From the User Permissions page, grant or revoke permissions for each user.

In this section:
See also: