Access Server 3.x: How to Enable Server-Locked Profiles

Overview

Server-locked profiles can be useful on shared devices, such as computers in universities, libraries, or other public environments.

Unlike user-locked profiles, server-locked profiles don't include a unique client certificate for a specific user. Authentication for server-locked profiles relies on user credentials and, if enabled, TOTP multi-factor authentication (MFA).

Because server-locked profiles don't use client certificates, they provide a lower level of security than profiles that do.

Starting with Access Server 3.0.0, server-locked profiles are disabled by default on new installations to provide a more secure default configuration. If your Access Server was upgraded from an earlier version, server-locked profiles remain enabled, and no additional configuration is required.

If your deployment requires server-locked profiles, you can enable them using the Admin Web UI or the command-line interface (CLI).

Option 1: Enable server-locked profiles using the Admin Web UI

1. Sign in to your Access Server Admin Web UI.
2. Select VPN Server.
3. Select Security / Encryption.
4. Under OpenVPN client certificate requirements, turn on Allow VPN connections without client certificates (server-locked v2).
5. Select Save and Restart.

Option 2: Enable server-locked profiles from the CLI

1. Connect to the console and get root privileges.

2. Run the following commands to enable server-locked profiles:

   sacli --key "vpn.server.require_client_certificate" --value "false" ConfigPut
   sacli start

Need help?

If you have questions, submit a support ticket.