I was recently asked to look at an existing road-warrior OpenVPN implementation, and see how it could be improved to differentiate network access levels per-user. Some users should have basic access, some should have access to their department's privileged systems, some should have usual department accesses plus temporary specific access to a customer system for setup and upgrades. Fun!
In computer security parlance, this is an authorization issue. Authentication is working, we know who you are, we don't know yet what you should have access to.
Users on this network is stored in LDAP, and the third-party OpenVPN Auth-LDAP plugin is used for authentication. RADIUS is not used anywhere, and adding it to the mix would add complexity and, strangely, not seem to gain us much - the third-party OpenVPN Radiusplugin only does authentication and accounting, and not really the "third A".
The Auth-LDAP plugin has some *BSD-specific code for interacting with PF. I considered rewriting that code to match requirements, but it's written in a pretty unfamiliar language (Objective-C) and has a number of limitations. A user can only be a member of one group (first-match) and group membership can only give access to one set of resources.
Thankfully, OpenVPN has lots of hooks for scripting. Perl hacking will ensue in next installment. Until then.